Policy Discussion: MS.AAD.6.1v1 User Passwords SHALL NOT expire legal precedence

[ahuynhMITRE]

💡 Summary

What is the work, as a high-level summary?
A user posed the question on which requirement has legal precedence for password management under federal regulations as MS.AAD.6.1v1 appears to have conflicting other federal regulations. This issue to bring up the discussion for the policy to see if updates or additional notes should be added to the policy.

Motivation and context

Why does this work belong in this project?
This work belongs in this project because many of our users may face this question in the future. The team should proactively work to make any adjustments to the policy to process through the appropriate approval channels to address user concerns.

For context, the user noted they support IRS and CMS data and are required to adhere to the following:
IRS: Publication 1075 (November 2021 Revision)
(CE-1) Password-Based Authentication: For password-based authentication:
5. Enforce password lifetime restrictions:
i. One (1) day minimum and 90 days maximum.
ii. Service accounts passwords shall expire within 366 days (inclusive).

Centers for Medicare & Medicaid Services: Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) (Version 2.2)
IA-5 (1): Password-Based Authentication
d. Enforces at least the following minimum password requirements for Users / Privileged Users / Processes [acting on behalf of a User] / ACA Consumer Accounts

1. MinimumPasswordAge = 1/1/1/1;
2. MaximumPasswordAge = 60/60/180/ 430 (one year + three months)
3. MinimumPasswordLength = 12/15/15/8

Implementation notes

N/A

Acceptance criteria

How do we know when this work is done?

• Issue has been discussed at a standup
• recommendation has been approved by CISA on potential updates to the policy

[ahuynhMITRE]

marking as blocked atm because the directives team is also looking at this question