IA.2.081

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

2

800-171 Control #

3.5.10

CMMC Description

Store and transmit only cryptographically-protected passwords.

CMMC Clarification

All passwords must be cryptographically protected in a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it impossible to turn the hashed password back into the original password. Example You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing or transmitting them.

800-171 Description

Store and transmit only cryptographically-protected passwords.

800-171 Discussion

Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 16.4, 16.5

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-5(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.10

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

CERT RMM v1.2 KIM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IA.2.081.[a] passwords are cryptographically protected in storage; and

Assessment Sub-Criteria 2

IA.2.081.[b] passwords are cryptographically protected in transit.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15