CMMC Requirement IA.L2-3.5.11 – Obscure Feedback: Obscure feedback of authentication information.
Within Identification and Authentication requirements of NIST SP 800-171, 3.5.11 (CMMC Practice IA.L2-3.5.11) requires the that feedback of authentication information be obscured. It might feel obvious that nearly all systems in the last 25+ years obscure password input, however strictly controlling the setting can prove to be beneficial. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST Special Publication covers identity proofing and authentication of users interacting with government IT systems over open networks. This NIST Special Publication provides technical requirements for federal agencies implementing digital identity services. This link discusses the process of testing web applications for default credentials. This example policy describes how information resources shall obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. In this video, Mike breaks down CMMC 2.0 Control IA.L2-3.5.11. When you are typing in your password, you should not just be able to see the typed in password. You should see dots, or asterisks, or anything but the password in case someone is looking over your shoulder or through a screen share. The idea is NO looky loos should be able to get your passwords, especially in systems which contain CUI.
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.
Further Discussion
Authentication information includes passwords. When users enter a password, the system displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices may briefly show characters before obscuring).