MARINE CORPS ENTERPRISE NETWORK (MCEN);PASSWORD MANAGEMENT POLICY
Date Signed: 3/3/2003 | MARADMINS Number: 089/03
MARADMINS : 089/03

R 032020Z MAR 03
FM CMC WASHINGTON DC(n)
TO ML MARADMIN(n)
MARADMIN
BT
UNCLAS
MARADMIN 089/03
MSGID/GENADMIN/CMC WASHINGTON DC/C4//
SUBJ/MARINE CORPS ENTERPRISE NETWORK (MCEN)
/PASSWORD MANAGEMENT POLICY//
REF/A/MCO/CJCSI6510.01C/010000ZMAY//
REF/B/MCO/CJCSI5239.1/180000Z9NOV//
REF/C/MSG/COMMARFOR CND/YMD:20020201//
NARR/REF A IS JCS INSTRUCTION ON INFORMATION ASSURANCE AND COMPUTER
NETWORK DEFENSE (CND). REF B ESTABLISHES USMC INFORMATION ASSURANCE
PROGRAM. REF C IS A COMMARFOR CND MSG ON REQUIRED SECURITY
CONFIGURATIONS FOR REMOTE ACCESS SERVICE (RAS).//
POC/DULANY KM/MSGT/HQMC C4/-/TEL:DSN 223-3490/TEL:703-693-3490
/EMAIL:DULANYKM@HQMC.USMC.MIL//
RMKS/1. PURPOSE. THE PURPOSE OF THIS MARADMIN IS TO ESTABLISH MARINE
CORPS WIDE PASSWORD MANAGEMENT POLICIES AND PROCEDURES.
2. BACKGROUND. INFORMATION ASSURANCE (IA) FOR DOD INFORMATION
SYSTEMS AND NETWORKS REQUIRES A DEFENSE-IN-DEPTH STRATEGY THAT
INTEGRATES THE CAPABILITIES OF PEOPLE, OPERATIONS, AND TECHNOLOGY.
THE GOAL IS TO ESTABLISH MULTILAYER AND MULTIDIMENSIONAL PROTECTION
TO ENSURE SURVIVABILITY AND MISSION ACCOMPLISHMENT (REF A). WITHIN
THIS STRATEGY, OUR END USERS ARE THE FIRST LINE OF DEFENSE AND MUST
BE EQUIPPED WITH THE KNOWLEDGE AND AWARENESS THAT EVEN THEIR SMALLEST
CONTRIBUTION (IN THIS CASE, PASSWORD MANAGEMENT) COULD MEAN THE
DIFFERENCE BETWEEN A SECURE OR COMPROMISED INFORMATION SYSTEM.
3. SCOPE. THIS POLICY APPLIES TO ALL GOVERNMENT OWNED OR FUNDED
AUTOMATED INFORMATION SYSTEMS (AIS) TO INCLUDE COMPUTER HARDWARE,
SOFTWARE,PERIPHERALS, AND NETWORK CONNECTIVITY OWNED, OPERATED, OR
UTILIZED BY USMC PERSONNEL.
4. POLICY. EFFECTIVE IMMEDIATELY:
A. PASSWORDS MUST CONTAIN AT LEAST EIGHT CHARACTERS USING THREE OF
THE FOUR FOLLOWING CHARACTER SETS: UPPER-CASE LETTERS, LOWER-CASE
LETTERS, NUMBERS, AND SPECIAL CHARACTERS. PASSWORDS MUST NOT BE
COMMON DICTIONARY WORDS OR NAMES, BIRTHDAYS, PHONE NUMBERS, OR THE
USER IDENTIFICATION (USERID).
B. PASSWORDS MUST BE CHANGED OR INVALIDATED AT LEAST EVERY 90 DAYS
FOR BOTH CLASSIFIED SYSTEMS (SIPRNET) AND CONTROLLED-BUT-UNCLASSIFIED
SYSTEMS (NIPRNET). USMC ORGANIZATIONS ARE AUTHORIZED TO ELECT SHORTER
PERIODS BASED ON AN ELEVATED SECURITY POSTURE OR OPERATIONAL NECESSITY.
C. AIS'S WILL BE CONFIGURED TO NOT ALLOW USERS TO REUSE A PASSWORD
FOR 10 CYCLES.
D. THE MINIMUM PASSWORD AGE WILL BE 7 DAYS. ONCE A PASSWORD IS SET,
A USER WILL NOT BE ABLE TO CHANGE THE PASSWORD FOR 7 DAYS. THIS WILL
PREVENT A USER FROM CYCLING THROUGH PASSWORDS UNTIL THEY SELECT THE
ONE THEY HAVE ALWAYS USED.
E. PASSWORDS WILL BE CLASSIFIED AT THE HIGHEST LEVEL OF INFORMATION
PROCESSED ON THAT SYSTEM.
F. PASSWORD SHARING IS PROHIBITED.
G. VENDOR-SELECTED DEFAULT PASSWORDS MUST BE CHANGED DURING OR
IMMEDIATELY AFTER SYSTEM INSTALLATION. NULL OR BLANK PASSWORDS ARE
NOT AUTHORIZED UNDER ANY CIRCUMSTANCES.
H. SYSTEMS WILL BE RECHECKED PERIODICALLY TO CONFIRM UPGRADES/PATCHES
HAVE NOT REINSTALLED FACTORY PASSWORD DEFAULTS OR OTHER TYPES OF
BACKDOORS.
I. SEPARATE USER AND NETWORK ADMINISTRATOR ACCOUNTS/PASSWORDS MUST
BE USED.
J. REMOTE ACCESS REQUIREMENTS IAW REF C ARE STILL IN EFFECT.
K. IF AN ACCOUNT OR PASSWORD IS SUSPECTED TO HAVE BEEN COMPROMISED,
SUSPEND THE ACCOUNT AND REQUIRE THE PASSWORD TO BE RESET PRIOR TO
REACTIVATION. REPORT THE INCIDENT TO THE INFORMATION SYSTEMS
SECURITY OFFICER (ISSO) OR INFORMATION SYSTEMS SECURITY MANAGER
(ISSM).
L. LASTLY, CREATION AND IMPLEMENTATION OF A PASSWORD VERIFICATION
MEANS IS CURRENTLY BEING FORMULATED. IN THE NEAR FUTURE, ALL ISSM'S
WILL BE TASKED WITH CONDUCTING PERIODIC PASSWORD VERIFICATION IAW
THIS MARADMIN. DURING THIS VERIFICATION PROCESS, ISSM'S WILL USE A
COMMERCIALLY AVAILABLE PASSWORD CRACKING TOOL (WHICH WILL BE MADE
AVAILABLE AND CONTROLLED SOLELY THROUGH THE MITNOC) TO ENSURE THE
STRENGTH AND VALIDITY OF ALL PASSWORD PROTECTED ACCOUNTS AND
APPLICATIONS WITHIN THEIR RESPECTIVE AREA OF RESPONSIBILITY.
ACCOUNTS DISCOVERED DURING THIS PROCESS NOT MEETING THE PASSWORD
PARAMETERS PRESCRIBED HEREIN WILL BE SUSPENDED UNTIL SUCH TIME AN
APPROPRIATE PASSWORD IS ESTABLISHED. ISSM'S ARE STRONGLY CAUTIONED
THAT THIS PROCEDURE WILL ONLY BE CONDUCTED UNDER CLOSE SUPERVISION
OF SENIOR SYSTEM ADMINISTRATORS EXCEPTIONALLY FAMILIAR WITH THE
LEGAL AS WELL AS PRIVACY ISSUES SURROUNDING THIS ISSUE. UNDER NO
CIRCUMSTANCES WILL THIS PROCEDURE BE DELEGATED TO SUBORDINATE
PERSONNEL ACTING ON THEIR OWN RECOGNIZANCE. SPECIFIC DIRECTION ON
THIS PROCESS IS FORTHCOMING.
5. ACTION. COMMANDERS WILL ENSURE THE IMPLEMENTATION OF THIS POLICY
WITHOUT DELAY AND ENSURE THE INCLUSION OF ITS CONTENT WITHIN
RESIDENT INFORMATION SYSTEM SECURITY TRAINING.
6. POC FOR POLICY QUESTIONS IS MSGT DULANY, DSN 233-3490, COMM
703-693-3490. TECHNICAL INQUIRIES SHOULD BE DIRECTED TO THE MITNOC
HELP DESK AT DSN 278-5300, COMM 703-784-5300, OR UNCLAS E-MAIL
HELPDESK@NOC.USMC.MIL.//