There are lots of orgs with dumb MDM policies, but I doubt Congress is enforcing that one. MDMs usually prevent simple passwords like that (though not equally simple ones like 989898...).

It looks like they require a PIN but disallow repeating characters. Here's the Security Technical Implementation Guide[0].

[0]https://www.stigviewer.com/stig/apple_ios_8_interim_security...

That's DoD but Congress is different. Hard to find my on house.gov though.

DoD and ASD still don't like biometrics, in ASDs case because the want to see how it works: https://www.cyber.gov.au/publications/security-configuration...

Biometrics like iris scanners and palm prints are used everywhere for high security govt installations, but I guess they have been tested by spooks.