Password requirements for SP 800-171 3.13.8 (whole disk encryption)?

old.reddit.com / @/u/ice-ninecicle, https://old.reddit.com/user/ice-ninecicle

(Cross-posted with r/CMMC .)

Hi, folks. Looking for some advice.

Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).

Would an auditor inquire or care as to whether the WDE password is:

  • present (exists)?
  • allowed to be a default vs. required to be individualized by the user per policy?
  • verified to have been changed from default (via monitoring/reporting)?

If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?

TIA

submitted by /u/ice-ninecicle
[link] [comments]

published 9 days ago


Previous

CIS Controls question CISv2 IG3 - 13.9 Port Level Access Control
published 14 days ago

Next

NIST AI RMF Control Mapping
published 8 days ago
See all items from the same source