The doc you just cited is based on the BRs and Network Security requirements, so yes, as the BR and Network Security requirements change, we generally see WebTrust change ;)
On Thu, May 17, 2018 at 5:05 PM, Patrick Tronnier via Public < [email protected]> wrote: > Thanks Eric. > > > > I would also like to point out that WEBTRUST PRINCIPLES AND > CRITERIA FOR CERTIFICATION AUTHORITIES –SSLBASELINE WITH NETWORK SECURITY > Version 2.3, which was updated in February 2018, (http://www.webtrust.org/ > principles-and-criteria/docs/item85437.PDF) requires passwords to be > changed every 3 months. Hopefully webTrust will adjust to the NIST > guidelines also. > > > > > > > > Thanks > > > > With kind regards, > > > > Patrick Tronnier > > Principal Security Architect & > > Sr. Director of Quality Assurance & Customer Support > > Phone: 763.201.2000 > > Direct Line: 763.201.2052 > > Open Access Technology International, Inc. > > 3660 Technology Drive NE, Minneapolis, MN > > > > CONFIDENTIAL INFORMATION: This email and any attachment(s) contain > confidential and/or proprietary information of Open Access Technology > International, Inc. Do not copy or distribute without the prior written > consent of OATI. If you are not a named recipient to the message, please > notify the sender immediately and do not retain the message in any form, > printed or electronic. > > > > *From:* Eric Mill [mailto:[email protected]] > *Sent:* Thursday, May 17, 2018 10:43 AM > *To:* Geoff Keating <[email protected]>; CA/Browser Forum Public > Discussion List <[email protected]> > *Cc:* Patrick Tronnier <[email protected]> > *Subject:* Re: [cabfpub] Ballot 221 v3: Two-Factor Authentication and > Password Improvements > > > > *{External email message: This email is from an external source. Please > exercise caution prior to opening attachments, clicking on links, or > providing any sensitive information.}* > > FedRAMP has published guidance about the new NIST password/identity > guidelines: > > https://www.fedramp.gov/assets/resources/documents/CSP_Digital_Identity_ > Requirements.pdf > > > > They note that the formal baseline is still not updated, but encourage > folks to follow NIST's new guidance regardless: > > > > NOTE: At the time of this document’s publication, FedRAMP Moderate and > High controls IA-5 (g) > > and IA-5 (1) (a,d) are known to be more restrictive than the new password > requirements in 800- > > 63B, AAL2 and AAL3 respectively. FedRAMP recommends Agency AOs accept > compliance with > > NIST’s guidance that is most up-to-date and consistent with current cyber > security threats. This > > may be done using an implementation status of “Alternative Implementation.” > > > > I also confirmed with the FedRAMP program that the baseline is expected to > be updated to match NIST's SP 800-63, and thus avoid the need for any > special acceptance. But the point is that FedRAMP is not an obstacle to > dropping password rotation -- they are expecting service providers to > follow NIST's guidance and drop it. > > > > -- Eric > > > > On Tue, May 15, 2018 at 6:48 PM, Geoff Keating via Public < > [email protected]> wrote: > > > > > On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public < > [email protected]> wrote: > > > > I want to make it clear that OATI agrees with the minimum 2 year > password period as the more secure route. It is FedRAMP and other standards > which don’t. J > > I've been looking at FedRAMP, because I was surprised they'd be putting > out guidelines that conflict with NIST guidelines, and I can't find this > requirement; for the 'high security controls' (https://www.fedramp.gov/ > assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does > require you have a minimum and maximum password lifetime in IA-05(1)(d), > but it says the actual limits are organization-defined, so you can ask the > organization to set the maximum lifetime to, say, 3 years. > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > > > > > > -- > > Eric Mill > > Senior Advisor, Technology Transformation Services > > Federal Acquisition Service, GSA > > [email protected], +1-617-314-0966 > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
