Back to Control Explorer



Control Acronym



Identification And Authentication

CMMC Level


800-171 Control #


CMMC Description

Store and transmit only cryptographically-protected passwords.

CMMC Clarification

All passwords must be cryptographically protected in a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it impossible to turn the hashed password back into the original password. Example You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing or transmitting them.

800-171 Description

Store and transmit only cryptographically-protected passwords.

800-171 Discussion

Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].

Other Source Discussion


CIS Control References

CIS Controls v7.1 16.4, 16.5

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-5(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.10

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

IA.2.081.[a] passwords are cryptographically protected in storage; and

Assessment Sub-Criteria 2

IA.2.081.[b] passwords are cryptographically protected in transit.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15