NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

AC-3.5.10 Store and transmit only cryptographically-protected passwords.

Control Family: Identification and Authentication

Control Type: Derived

SPRS Value: 5

SPRS Supplemental Guidance:

Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords

CMMC Level(s):

IA.L2-3.5.10

Top Ten Failed Requirement:

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

IA-5(1)

NIST Supplemental Guidance:

[NIST CRYPTO]

Discussion:

Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO].

Upon assessment, assessors must determine if-

3.5.10[a] passwords are cryptographically protected in storage.
3.5.10[b] passwords are cryptographically protected in transit.

Assessors are instructed to-

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

NIST Special Publication 800-171 Revision 2

AC-3.5.10 Store and transmit only cryptographically-protected passwords.

Control Families

3.1: Access Control

3.2: Awareness and Training

3.3: Audit and Accountability

3.4: Configuration Management

3.5: Identification and Authentication

3.6: Incident Response

3.7: Maintenance

3.8: Media Protection

3.9: Personnel Security

3.10: Physical Protection

3.11: Risk Assessment

3.12: Security Assessment

3.13: System and Communications Protection

3.14: System and Information Integrity