cisagov · buidav · Oct 15, 2024 · Oct 4, 2024 · Oct 7, 2024 · Oct 10, 2024
diff --git a/baselines/commoncontrols.md b/baselines/commoncontrols.md
@@ -410,6 +410,18 @@ User password length SHALL be at least 12 characters.
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
 #### GWS.COMMONCONTROLS.5.3v0.3
+User password length SHOULD be at least 15 characters.
+
+- _Rationale:_ The National Institute of Standards and Technology (NIST) has published guidance indicating that password length is a primary factor in characterizing password strength (NIST SP 800-63B). Longer passwords tend to be more resistant to brute force and dictionary-based attacks.
+- _Last modified:_ July 10, 2023
+
+- MITRE ATT&CK TTP Mapping
+  - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+    - [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+    - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+    - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+
+#### GWS.COMMONCONTROLS.5.4v0.3
 Password policy SHALL be enforced at next sign-in.
 
 - _Rationale:_ Unless the password policy is enforced at next login, a user could potentially operate indefinitely using a weak password. Enforcing the policy at next login helps ensure that all active user passwords meet current requirements.
@@ -421,7 +433,7 @@ Password policy SHALL be enforced at next sign-in.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.4v0.3
+#### GWS.COMMONCONTROLS.5.5v0.3
 User passwords SHALL NOT be reused.
 
 - _Rationale:_ Password reuse represents a significant security risk. Preventing password reuse when possible limits the scope of a compromised password.
@@ -433,7 +445,7 @@ User passwords SHALL NOT be reused.
     - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
     - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
 
-#### GWS.COMMONCONTROLS.5.5v0.3
+#### GWS.COMMONCONTROLS.5.6v0.3
 User passwords SHALL NOT expire.
 
 - _Rationale:_ The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB M-22-09 states, "Password policies must not require use of special characters or regular rotation."
@@ -448,7 +460,8 @@ User passwords SHALL NOT expire.
 ### Resources
 
 -   [GWS Admin Help \| Enforce and monitor password requirements for users](https://support.google.com/a/answer/139399?hl=en#zippy=%2Cwhat-makes-a-password-strong)
--   [CIS Google Workspace Foundations Benchmark](https://www.cisecurity.org/benchmark/google_workspace)
+-   [Create a strong password & a more secure account](https://support.google.com/accounts/answer/9094506?fl=1&sjid=14948418137648107240-NA)
+-   [CISA Cross-Sector Cybersecurity Performance Goals](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B)
 
 ### Prerequisites
 
@@ -472,12 +485,15 @@ To configure a strong password policy is configured, use the Google Workspace Ad
 1.  Under **Length**, set **Minimum Length** to 12+.
 
 #### GWS.COMMONCONTROLS.5.3v0.3 Instructions
-1.  Under **Strength and Length enforcement**, select the **Enforce password policy at next sign-in** checkbox.
+1.  Under **Length**, set **Minimum Length** to 15+.
 
 #### GWS.COMMONCONTROLS.5.4v0.3 Instructions
-1.  Under **Reuse**, deselect the **Allow password reuse** checkbox.
+1.  Under **Strength and Length enforcement**, select the **Enforce password policy at next sign-in** checkbox.
 
 #### GWS.COMMONCONTROLS.5.5v0.3 Instructions
+1.  Under **Reuse**, deselect the **Allow password reuse** checkbox.
+
+#### GWS.COMMONCONTROLS.5.6v0.3 Instructions
 1.  Under **Expiration**, select **Never Expires.**
 
 ## 6. Highly Privileged Accounts

diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
@@ -9,9 +9,10 @@ GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHALL be enabled when third party SA
 GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
 GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
 GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
-GWS.COMMONCONTROLS.5.3v0.3,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
-GWS.COMMONCONTROLS.5.4v0.3,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
-GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
+GWS.COMMONCONTROLS.5.3v0.3,User password length SHOULD be at least 15 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
+GWS.COMMONCONTROLS.5.4v0.3,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
+GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
+GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
 GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced