Password requirements for 800-171 3.13.8?

old.reddit.com / @/u/ice-ninecicle, https://old.reddit.com/user/ice-ninecicle

(Cross-posted with r/NISTControls.)

Hi, folks. Looking for some advice.

Assume that the strategy for protecting CUI at rest on laptops is Bitlocker (FIPS compliant of course).

Would an auditor inquire or care as to whether the WDE password is:

  • present (exists)?
  • allowed to be a default vs. required to be individualized by the user per policy?
  • verified to have been changed from default (via monitoring/reporting)?

If the last applies--that is, if an auditor is going to ask "How do you KNOW that users aren't using the default Bitlocker password?", do you have a solution for that?

TIA

submitted by /u/ice-ninecicle
[link] [comments]

published 9 days ago




See all items from the same source