IA.L2-3.5.10: Cryptographically-Protected Passwords
Storing passwords in plain text is a critical vulnerability that puts your organization at immediate risk. CMMC Level 2 control IA.L2-3.5.10 requires that all passwords be cryptographically protected during storage and transmission. This control is essential for protecting sensitive information and maintaining compliance in defense contractor supply chains.
What this means
This control mandates that passwords must never be stored or transmitted in readable form. Instead, organizations must use cryptographic methods such as hashing algorithms (SHA-256 or stronger) with salting to protect password data at rest, and encryption (TLS/SSL) to protect passwords in transit. Plain text password storage or unencrypted transmission violates this requirement.
How to comply
- 1.Implement a password management system that uses industry-standard hashing algorithms (PBKDF2, bcrypt, or Argon2) with unique salt values for each password.
- 2.Enforce encryption for all password transmission using TLS 1.2 or higher for HTTPS connections and encrypted protocols for internal systems.
- 3.Configure authentication systems and databases to never store passwords in plain text or reversible formats.
- 4.Conduct a password storage audit across all systems and applications to identify and remediate any instances of unencrypted password storage.
- 5.Establish a password policy requiring periodic updates and prohibiting password sharing or reuse across systems.
- 6.Document all cryptographic methods used for password protection, including algorithm types, salt usage, and encryption protocols.
Evidence auditors look for
- System logs and configuration files showing hashing algorithms and salt values in use for stored passwords
- TLS/SSL certificates and network traffic captures demonstrating encrypted password transmission
- Database schemas and application source code reviews confirming no plain text password storage
- Password management system documentation detailing cryptographic implementations
- Security audit reports confirming compliance with password encryption requirements
- Policies and procedures governing password storage and transmission security
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically scans your systems to detect plain text passwords, validates encryption protocols in use, and generates evidence of compliance with IA.L2-3.5.10 for your CMMC assessment.
See how GRCWatch handles this control automatically
Start free trial