IA.L2-3.5.11 Obscure Feedback - DIB SCC CyberAssist

CMMC Practice IA.L2-3.5.11 – Obscure Feedback: Obscure feedback of authentication information.

Links to Publicly Available Resources

CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
DISA – Security Technical Information Guide (STIG): MAC OS Finding and Fix
The STIG finding describes a finding where the operating system failed to obscure feedback of authentication information. The STIG lists a rather obvious check and a fix.
DISA – Security Technical Information Guide (STIG): Oracle database Finding and Fix
The STIG finding describes a finding where the Oracle Database system failed to obscure feedback of authentication information. The STIG lists a check and a fix.
Open Web Application Security Project (OWASP) – Testing for Default Credentials
This link discusses the process of testing web applications for default credentials.
STIG Viewer – Network Device Management Security Requirements Guide
This Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the NIST 800-53 and related documents.
Texas A&M Policy: Authenticator Feedback (IA-6)
This example policy describes how information resources shall obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
YouTube – NIST 800-171 Control 3-5-11 – Obscure feedback of authentication information
In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we focus on obscuring authenticator feedback from systems so as to not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. Let’s talk about NIST 800-171 Control 3-5-11 - Obscure feedback of authentication information.

Discussion [NIST SP 800-171 R2]
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.

Further Discussion
Authentication information includes passwords. When users enter a password, the system displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices may briefly show characters before obscuring).