IA.L2-3.5.10 Cryptographically-Protected Passwords

The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules.

This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.

This topic for the IT professional explains how Windows implements passwords in versions of Windows beginning with Windows Server 2012 and Windows 8.1. It also discusses strong passwords, passphrases, and password policies.

This article provides guidance for the Identification and Authorization (IA) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice.

Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs).

This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies.

This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage.

This NIST Special Publication provides technical requirements for federal agencies implementing digital identity services.

This article provides a simple model to follow when implementing solutions to protect data at rest. Passwords should not be stored using reversible encryption - secure password hashing algorithms should be used instead.

This link discusses the process of testing web applications for default credentials.

This SANS guideline provides best practices for creating secure passwords.

This is a sample password protection policy from SANS.

In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we focus on cryptographically-protected passwords. Let’s talk about NIST 800-171 Control 3.5.10 - Store and transmit only cryptographically-protected passwords.