Category: Security Architecture
Applicability: Applies to all state agencies, boards, and commissions, excluding higher education
History: Adopted on September 18, 2007. Amended on November 12, 2008 and December 10, 2013.
The purpose of this standard is to set the minimum requirements for passwords and the related system access requirements based on the data classification (NITC 8-101, § 4.6).
The scope of this standard is restricted to passwords that are used to authenticate users to networks or applications.
The following are the minimum password requirements for State of Nebraska passwords:
In addition to the Minimum Password Complexity outlined in section 1.2, additional password requirements are necessary for differing levels of data classification when authenticating users to networks or applications. The highest data classification level that a user has access to during an authenticated session will determine the additional password requirements. All employees and contractors of the State of Nebraska shall use a password that follows at least a confidential level of authentication when logging into a state network or application.
Information that is deemed highly restricted requires the highest level of security. A password used to access Highly Restricted information must follow the password complexity rules outlined in section 1.2 and must contain at least 2 of the following additional requirements:
Information that is deemed Confidential requires a high level of security. A password used to access Confidential information must follow the password complexity rules outlined in section 1.2 and must contain the following additional requirement:
Information that is deemed Managed Access Public requires minimal level of security and need not comply with section 1.2 of this policy. Typically this data would not include personal information but may carry special regulations related to its use or dissemination. Managed Access Public data may also be data that is sold as a product or service to users that have subscribed to a service.
Information that is deemed Public requires no security and need not comply with section 1.2 of this policy. This information should be restricted to view only.
Non-expiring passwords require a unique high level of security. Typically this information is confidential in nature and must follow the requirements in section 1.2. The additional requirements for access to confidential data with a non-expiring password are:
Agencies may use non-expiring passwords for automated system accounts. Examples of automated system accounts include those that act as an intermediary between the public user and state systems, internal system to system interfaces, perform backups or run batch jobs.
Agencies may use non-expiring passwords on multi-user computers. Examples of multi-user computers include those computers in kiosks or training labs, where users have limited or restricted access to state resources.
Agencies may use non-expiring passwords for system equipment/devices. It is common for many devices (e.g. IP cameras, HVAC controls) in today's IT environment to utilize login capabilities to protect the device from unauthorized access. While many of these devices make use of a user ID and password in a manner similar to those found while authenticating a user, the distinction to be made is that the User ID is used to authenticate the device itself to the system and not a person.