CMMC IA.2.081 - Encrypt Passwords

CMMC IA.2.081 - Encrypt Passwords

Requirement text: IA.2.081: Store and transmit only cryptographically-protected passwords.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Cryptographically-protected passwords use salted one-way cryptographic hashes of
passwords.

See NIST Cryptographic Standards and Guidelines.

CMMC CLARIFICATION
All passwords must be cryptographically protected in a one-way function for storage and
transmission. This type of protection changes passwords into another form, or a hashed
password. A one-way transformation makes it impossible to turn the hashed password back
into the original password.

Example
You are responsible for managing passwords for your organization. You protect all
passwords with a one-way transformation, or hashing, before storing or transmitting them.

References
• NIST SP 800-171 Rev 1 3.5.10
• CIS Controls v7.1 16.4, 16.5
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 IA-5(1)

    • Related Articles

    • Identification and Authentication: SP 800-171 Security Family 3.5

       For most systems, identification and authentication is often the first line of defense. Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. ...

    • CMMC IA.2.079 - Prohibit Password Reuse

      Requirement text: IA.2.079: Prohibit password reuse for a specified number of generations. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Password lifetime restrictions do not apply to temporary passwords. CMMC CLARIFICATION Individuals may not ...

    • CMMC IA.2.078 - Enforce Password Complexity

      Requirement text: IA.2.078: Enforce a minimum password complexity and change of characters when new passwords are created. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using ...

    • CMMC IA.2.082 - Obscure Authentication Feedback

      Requirement text: IA.2.082: Obscure feedback of authentication information. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 The feedback from systems does not provide any information that would allow unauthorized individuals to compromise ...

    • CMMC IA.2.080 - Limit Use of Temporary Password

      Requirement text: IA.2.080: Allow temporary password use for system logons with an immediate change to a permanent password. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Changing temporary passwords to permanent passwords immediately after system ...