CMMC Practice Number: IA.L2-3.5.10
CMMC Level: 2 CMMC Domain: Identification and Authentication (IA)
Practice Summary:
Store and transmit only cryptographically-protected passwords.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit.
Practice Clarification (DOD, CMU)
All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes.
Example
You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b].
Potential Assessment Considerations
• Are passwords prevented from being stored in reversible encryption form in any company systems [a]?
• Are passwords stored as one-way hashes constructed from passwords [a]?
Where To Look
- Identification and authentication policy;
- system security plan;
- procedures addressing authenticator management;
- procedures addressing user identification and authentication;
- system design documentation;
- list of system authenticator types;
- system configuration settings and associated documentation;
- change control records associated with managing system authenticators;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- Personnel with authenticator management responsibilities;
- personnel with information security responsibilities;
- system or network administrators.
Perform Test On
- Mechanisms supporting or implementing authenticator management capability.
Additional Information
“Password hashing” performs a one-way transformation on a password, turning the password into another string, called the hashed password. “One-way” means that it is practically impossible to go the other way, i.e., to turn the hashed password back into the original password.
In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or against a pre-computed rainbow table attack. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. Salts are used to safeguard passwords in storage.
Historically a password was stored in plaintext on a system, but over time, additional safeguards developed to protect a user’s password against being read from the system. A new salt is randomly generated for each password and never re-used.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.
See NIST Cryptographic Standards and Guidelines.
CMMC References:
· NIST SP 800-171 Rev 1 3.5.10
· CIS Controls v7.1 16.4, 16.5
· NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
· CERT RMM v1.2 KIM:SG4.SP1
· NIST SP 800-53 Rev 4 IA-5(1)