> On May 15, 2018, at 8:37 AM, Patrick Tronnier via Public > <[email protected]> wrote: > > I want to make it clear that OATI agrees with the minimum 2 year password > period as the more secure route. It is FedRAMP and other standards which > don’t. J
I've been looking at FedRAMP, because I was surprised they'd be putting out guidelines that conflict with NIST guidelines, and I can't find this requirement; for the 'high security controls' (https://www.fedramp.gov/assets/resources/documents/FedRAMP_High_Security_Controls.xlsx), it does require you have a minimum and maximum password lifetime in IA-05(1)(d), but it says the actual limits are organization-defined, so you can ask the organization to set the maximum lifetime to, say, 3 years.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
