IA.L2-3.5.10 Cryptographically-Protected Passwords

Store and transmit only cryptographically-protected passwords.

Source: NIST SP 800-171 Rev 2 3.5.10

Discussion: Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].

Assessment Objectives:

Determine if:

• [a] passwords are cryptographically protected in storage; and
• [b] passwords are cryptographically protected in transit.

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

SPRS Score: 5

POA&M Allowed: No