This MARADMIN has been cancelled
Superseded by MARADMIN 155/06
Marine Corps Enterprise Network (MCEN) Password Management Policy
This MARADMIN establishes Marine Corps-wide password management policies and procedures for all government-owned or funded automated information systems. Effective immediately, all USMC personnel must comply with new password requirements including minimum 8-character passwords using three of four character sets, 90-day password changes, and prohibition of password sharing. Commanders are directed to implement this policy without delay and incorporate it into information system security training.
Issued: March 3, 2003
1. PURPOSE. THE PURPOSE OF THIS MARADMIN IS TO ESTABLISH MARINE CORPS WIDE PASSWORD MANAGEMENT POLICIES AND PROCEDURES. 2. BACKGROUND. INFORMATION ASSURANCE (IA) FOR DOD INFORMATION SYSTEMS AND NETWORKS REQUIRES A DEFENSE-IN-DEPTH STRATEGY THAT INTEGRATES THE CAPABILITIES OF PEOPLE, OPERATIONS, AND TECHNOLOGY. THE GOAL IS TO ESTABLISH MULTILAYER AND MULTIDIMENSIONAL PROTECTION TO ENSURE SURVIVABILITY AND MISSION ACCOMPLISHMENT (REF A). WITHIN THIS STRATEGY, OUR END USERS ARE THE FIRST LINE OF DEFENSE AND MUST BE EQUIPPED WITH THE KNOWLEDGE AND AWARENESS THAT EVEN THEIR SMALLEST CONTRIBUTION (IN THIS CASE, PASSWORD MANAGEMENT) COULD MEAN THE DIFFERENCE BETWEEN A SECURE OR COMPROMISED INFORMATION SYSTEM. 3. SCOPE. THIS POLICY APPLIES TO ALL GOVERNMENT OWNED OR FUNDED AUTOMATED INFORMATION SYSTEMS (AIS) TO INCLUDE COMPUTER HARDWARE, SOFTWARE,PERIPHERALS, AND NETWORK CONNECTIVITY OWNED, OPERATED, OR UTILIZED BY USMC PERSONNEL. 4. POLICY. EFFECTIVE IMMEDIATELY: A. PASSWORDS MUST CONTAIN AT LEAST EIGHT CHARACTERS USING THREE OF THE FOUR FOLLOWING CHARACTER SETS: UPPER-CASE LETTERS, LOWER-CASE LETTERS, NUMBERS, AND SPECIAL CHARACTERS. PASSWORDS MUST NOT BE COMMON DICTIONARY WORDS OR NAMES, BIRTHDAYS, PHONE NUMBERS, OR THE USER IDENTIFICATION (USERID). B. PASSWORDS MUST BE CHANGED OR INVALIDATED AT LEAST EVERY 90 DAYS FOR BOTH CLASSIFIED SYSTEMS (SIPRNET) AND CONTROLLED-BUT-UNCLASSIFIED SYSTEMS (NIPRNET). USMC ORGANIZATIONS ARE AUTHORIZED TO ELECT SHORTER PERIODS BASED ON AN ELEVATED SECURITY POSTURE OR OPERATIONAL NECESSITY. C. AIS'S WILL BE CONFIGURED TO NOT ALLOW USERS TO REUSE A PASSWORD FOR 10 CYCLES. D. THE MINIMUM PASSWORD AGE WILL BE 7 DAYS. ONCE A PASSWORD IS SET, A USER WILL NOT BE ABLE TO CHANGE THE PASSWORD FOR 7 DAYS. THIS WILL PREVENT A USER FROM CYCLING THROUGH PASSWORDS UNTIL THEY SELECT THE ONE THEY HAVE ALWAYS USED. E. PASSWORDS WILL BE CLASSIFIED AT THE HIGHEST LEVEL OF INFORMATION PROCESSED ON THAT SYSTEM. F. PASSWORD SHARING IS PROHIBITED. G. VENDOR-SELECTED DEFAULT PASSWORDS MUST BE CHANGED DURING OR IMMEDIATELY AFTER SYSTEM INSTALLATION. NULL OR BLANK PASSWORDS ARE NOT AUTHORIZED UNDER ANY CIRCUMSTANCES. H. SYSTEMS WILL BE RECHECKED PERIODICALLY TO CONFIRM UPGRADES/PATCHES HAVE NOT REINSTALLED FACTORY PASSWORD DEFAULTS OR OTHER TYPES OF BACKDOORS. I. SEPARATE USER AND NETWORK ADMINISTRATOR ACCOUNTS/PASSWORDS MUST BE USED. J. REMOTE ACCESS REQUIREMENTS IAW REF C ARE STILL IN EFFECT. K. IF AN ACCOUNT OR PASSWORD IS SUSPECTED TO HAVE BEEN COMPROMISED, SUSPEND THE ACCOUNT AND REQUIRE THE PASSWORD TO BE RESET PRIOR TO REACTIVATION. REPORT THE INCIDENT TO THE INFORMATION SYSTEMS SECURITY OFFICER (ISSO) OR INFORMATION SYSTEMS SECURITY MANAGER (ISSM). L. LASTLY, CREATION AND IMPLEMENTATION OF A PASSWORD VERIFICATION MEANS IS CURRENTLY BEING FORMULATED. IN THE NEAR FUTURE, ALL ISSM'S WILL BE TASKED WITH CONDUCTING PERIODIC PASSWORD VERIFICATION IAW THIS MARADMIN. DURING THIS VERIFICATION PROCESS, ISSM'S WILL USE A COMMERCIALLY AVAILABLE PASSWORD CRACKING TOOL (WHICH WILL BE MADE AVAILABLE AND CONTROLLED SOLELY THROUGH THE MITNOC) TO ENSURE THE STRENGTH AND VALIDITY OF ALL PASSWORD PROTECTED ACCOUNTS AND APPLICATIONS WITHIN THEIR RESPECTIVE AREA OF RESPONSIBILITY. ACCOUNTS DISCOVERED DURING THIS PROCESS NOT MEETING THE PASSWORD PARAMETERS PRESCRIBED HEREIN WILL BE SUSPENDED UNTIL SUCH TIME AN APPROPRIATE PASSWORD IS ESTABLISHED. ISSM'S ARE STRONGLY CAUTIONED THAT THIS PROCEDURE WILL ONLY BE CONDUCTED UNDER CLOSE SUPERVISION OF SENIOR SYSTEM ADMINISTRATORS EXCEPTIONALLY FAMILIAR WITH THE LEGAL AS WELL AS PRIVACY ISSUES SURROUNDING THIS ISSUE. UNDER NO CIRCUMSTANCES WILL THIS PROCEDURE BE DELEGATED TO SUBORDINATE PERSONNEL ACTING ON THEIR OWN RECOGNIZANCE. SPECIFIC DIRECTION ON THIS PROCESS IS FORTHCOMING. 5. ACTION. COMMANDERS WILL ENSURE THE IMPLEMENTATION OF THIS POLICY WITHOUT DELAY AND ENSURE THE INCLUSION OF ITS CONTENT WITHIN RESIDENT INFORMATION SYSTEM SECURITY TRAINING. 6. POC FOR POLICY QUESTIONS IS MSGT DULANY, DSN 233-3490, COMM 703-693-3490. TECHNICAL INQUIRIES SHOULD BE DIRECTED TO THE MITNOC HELP DESK AT DSN 278-5300, COMM 703-784-5300, OR UNCLAS E-MAIL HELPDESK@NOC.USMC.MIL.