- Free Edition
- Quick Links
- MFA
- Self-Service Password Management
- Single Sign-On
- Password Synchronizer
- Password Policy Enforcer
- Employee Self-Service
- Reporting and auditing
- Integrations
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
What is the CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a unified framework developed by the U.S. Department of Defense (DOD) to ensure that contractors and subcontractors handling Controlled Unclassified Information (CUI) implement robust cybersecurity practices. Evolving from the NIST SP 800‑171 guidelines, CMMC aims to protect sensitive defense data across the Defense Industrial Base (DIB). With the introduction of CMMC 2.0, the model now includes three levels of certification, each reflecting increasing levels of cybersecurity maturity. To be eligible for DOD contracts, organizations must demonstrate compliance with the level appropriate to their role and data sensitivity.
What are the CMMC password requirements
The following table explains the password policy requirements found across the three levels in CMMC 2.0 and how ADSelfService Plus helps your organization comply with them.
| CMMC requirement | Requirement description | How ADSelfService Plus helps satisfy the requirement |
|---|---|---|
| Level 1 | ||
| AC.L1-3.1.1 | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | With ADSelfService Plus, you can secure information system access by enabling adaptive mutifactor authentication (MFA) for endpoints, such as for machine logons, application logons, VPN logons, RDP logons, and OWA logons. It supports a wide range of multi-factor MFA methods, including biometrics, OTPs, and authenticator apps. |
| IA.L1-3.5.2 | Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems. | ADSelfService Plus supports a wide range of multi-factor MFA methods, including biometrics, OTPs, and authenticator apps. It ensures that only authenticated users and trusted devices can have access to organizational information systems. |
| Level 2 | ||
| AC.L2-3.1.3 | Control the flow of controlled unclassified information (CUI) in accordance with approved authorizations. | While ADSelfService Plus does not directly handle CUI, it helps enforce boundaries on where and how user-related data flows within the organization. The solution restricts access to user data and self-service functions based on group-, OU-, and IP-based policies. |
| AC.L2-3.1.8 | Limit unsuccessful sign-on attempts. | ADSelfService Plus allows administrators to configure lockout policies that limit the number of failed login attempts. After a defined number of unsuccessful attempts, the account can be temporarily locked or blocked from further access. |
| IA.L2-3.5.3 | Use MFA for local and network access to privileged accounts and for network access to non-privileged accounts. | ADSelfService Plus provides MFA for remote access sessions, which can be applied either at the client or target machine level. |
| IA.L2-3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | ADSelfService Plus provides FIDO2 authentication, which is resistant to replay, phishing, and manipulator-in-the-middle attacks. |
| IA.L2-3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | ADSelfService Plus addresses your compliance requirement for minimum password complexity and character changes through its Password Policy Enforcer. This feature allows you to define granular password rules, including required character sets (uppercase and lowercase letters, numbers, special characters), minimum length, and restrictions on character repetition and patterns. |
| IA.L2-3.5.8 | Prohibit password reuse for a specified number of generations. | ADSelfService Plus allows you to specify the number of previous passwords that a user cannot repeat while choosing a new password. |
| IA.L2-3.5.9 | Allow temporary password use for system logons with an immediate change to a permanent password. | ADSelfService Plus can enforce password changes during first login . Users logging in with a temporary password are immediately prompted to reset it through the self-service portal or login agent. |
| IA.L2-3.5.11 | Obscure feedback of authentication information. | ADSelfService Plus does not display passwords by default when entered but gives users the option to view them, if required. |
| Level 3 | ||
| IA.L3-3.5.3E | Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. | ADSelfService Plus supports adaptive authentication through its flexible Conditional Access Policies. It allows you to configure device-based (device type/device platform), location-based (IP address/geolocation), and time-based access controls using logical conditions to automate access decisions. |
Simplify CMMC compliance using ADselfService Plus
ADSelfService Plus' Password Policy Enforcer satisfies CMMC requirements and can be enforced for all or specific AD users based on their domain, OU, or group membership. With its adaptive MFA techniques, ADSelfService Plus ensures your organizational identities are effectively secured for a comprehensive Zero Trust environment.
- Enforce password history: Ensure password strength by enforcing password history during native password resets in the Windows Active Directory Users and Computers (ADUC) console.
- Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
- Ensure password complexity: Ensure user passwords contain uppercase, lowercase, special, and numeric characters.
- Ban weak passwords: Block leaked or weak AD passwords, patterns, and palindromes.
- Mandate MFA for users: Secure user access to sensitive defense-related data by enabling adaptive MFA for endpoints, such as for machine logons, application logons, VPN logons, RDP logons, and OWA logons. Choose from a range of 20 different MFA authenticators, including FIDO passkeys and biometrics, to verify users' identities.
- Password Policy Enforcer
- MFA
Restrict users from reusing any of their previously used passwords during password creation.
Configure the minimum password length and the inclusion of alpha-numeric characters in passwords.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Choose from a plethora of different authenticators to verify your users' identities.
Secure all endpoints in your network using MFA.
Highlights of ADSelfService Plus
Password self-service
Eliminate lengthy help desk calls for Windows Active Directory users by empowering them with self-service password reset and account unlock capabilities.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Windows Active Directory credentials.
Password synchronization
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more
MFA
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
Password and account expiration notifications
Notify Windows Active Directory users of their impending password and account expiration via email and SMS notifications.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
