This objective requires your organization to clearly define the minimum characteristics that make a password acceptable for use within your systems—particularly on systems that store, process, or access Controlled Unclassified Information (CUI). These definitions must align with your access control and authentication policies.