NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.5.10 Store and transmit only cryptographically-protected passwords.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords
CMMC Level(s): IA.L2-3.5.10
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-5(1)
NIST Supplemental Guidance:
[NIST CRYPTO]
Discussion:
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].
Upon assessment, assessors must determine if-
3.5.10[a] passwords are cryptographically protected in storage.
3.5.10[b] passwords are cryptographically protected in transit.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
FURTHER DISCUSSION
All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes.
Example
You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b].
Potential Assessment Considerations
Are passwords prevented from being stored in reversible encryption form in any company systems [a]?
Are passwords stored as one-way hashes constructed from passwords [a]?
Frameworks & Controls
3.5: Identification and Authentication
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.10 Store and transmit only cryptographically-protected passwords.