CMMC Practice IA.L2-3.5.10 – Cryptographically-Protected Passwords: Store and transmit only cryptographically-protected passwords.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This link discusses the process of testing web applications for default credentials. This SANS guideline provides best practices for creating secure passwords. This is a sample password protection policy from SANS. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we focus on cryptographically-protected passwords. Let’s talk about NIST 800-171 Control 3.5.10 - Store and transmit only cryptographically-protected passwords. This video from SANS educates viewers on the positive and negative aspects of using full disk encryption for security.
Discussion [NIST SP 800-171 R2]
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.
See NIST Cryptographic Standards and Guidelines.
Further Discussion
All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes.