Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY IA

IA.L2-3.5.10

Cryptographically-Protected Passwords

Requirement

Store and transmit only cryptographically protected passwords.

Further discussion

All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes. Example You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b]. Potential Assessment Considerations • Are passwords prevented from being stored in reversible encryption form in any company systems [a]? • Are passwords stored as one-way hashes constructed from passwords [a]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/