CMMC v2.11 Practices

IA.L2-3.5.10  

Reference: CMMC v2.11

Family: IA

Level Introduced: 2

Title: Cryptographically-Protected Passwords

Practice:
Store and transmit only cryptographically-protected passwords.

Further Discussion:
All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes.

Example
You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b].

Potential Assessment Considerations
• Are passwords prevented from being stored in reversible encryption form in any company systems [a]?
• Are passwords stored as one-way hashes constructed from passwords [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11