Isnt 2.B Minimum Password Strength in conflict with NIST SP 800-63B recommendation of 8 characters? Also mainframes like z/OS have a maximum password length of 8, I would think CISA would have included passphrase with password since z/OS can use up to 100 characters with passphrase.