The password values must be set to meet the requirements in accordance with DODI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256882	HMC0140	SV-256882r998335_rule		Medium

Description
In accordance with DODI 8500.2 for DOD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]). The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be 14 characters. (2) Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other nonalphabetic and nonnumeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.

Description

In accordance with DODI 8500.2 for DOD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]). The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be 14 characters. (2) Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other nonalphabetic and nonnumeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.

STIG	Date
IBM Hardware Management Console (HMC) Security Technical Implementation Guide	2024-06-24

Details

Check Text ( C-60557r998333_chk )
Have the system administrator (SA) display the Password Profile Task window on the Hardware Management Console and check that: Passwords are to be a minimum of 14 characters in length. Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other nonalphabetic and nonnumeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.). If the Password Profile does not have the specifications for the above options then this is a finding.

Check Text ( C-60557r998333_chk )

Have the system administrator (SA) display the Password Profile Task window on the Hardware Management Console and check that:

Passwords are to be a minimum of 14 characters in length.

Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other nonalphabetic and nonnumeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

If the Password Profile does not have the specifications for the above options then this is a finding.

Fix Text (F-60500r998334_fix)
Have the system administrator (SA) validate that the settings in the Password Profiles Window meet the following specifications: Passwords are a minimum of 14 characters in length. Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

Fix Text (F-60500r998334_fix)

Have the system administrator (SA) validate that the settings in the Password Profiles Window meet the following specifications:

Passwords are a minimum of 14 characters in length.

Passwords are to be a mix of uppercase, lowercase alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).