IA.2.082

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

2

800-171 Control #

3.5.11

CMMC Description

Obscure feedback of authentication information.

CMMC Clarification

A password is a type of authentication information. When users enter this information, the system displays a symbol, such as an asterisk. This prevents others from seeing the actual characters. The organization should obscure feedback based on a defined policy. For example, smaller devices may briefly show characters before obscuring. Example You are in charge of IT for your company. You set up your systems to display a symbol, such as an asterisk, when users enter their passwords into a computer system. For your mobile devices, the password characters are briefly displayed to the user before being obscured. This prevents people from figuring out passwords by looking over someone’s shoulder.

800-171 Description

Obscure feedback of authentication information.

800-171 Discussion

The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-6

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.11

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IA.2.082.[a] authentication information is obscured during the authentication process.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15