IA.L2-3.5.10: Store and transmit only cryptographically-protected passwords

📖 What This Means

This control requires that all passwords stored in your systems or transmitted across networks are protected using strong cryptographic methods. In plain terms, it means passwords should never be saved or sent as plain text—they must always be scrambled (hashed or encrypted) using approved algorithms. For example, when a user creates a password, your system should immediately hash it using a method like SHA-256 before storing it. Similarly, when a user logs in, their password should be transmitted over an encrypted connection (like HTTPS). A real-world example: If your company uses Active Directory, it should be configured to store passwords as NTLM hashes (not plain text). Another example: Your web application login page must use TLS encryption to protect passwords during transmission.

🎯 Why It Matters

Unprotected passwords are a top target for attackers. If passwords are stored or transmitted without encryption, a single breach can expose all user credentials, leading to account takeovers, data theft, and system compromises. In 2021, a major defense contractor was fined $9.6M after plaintext passwords were found in log files, exposing sensitive DoD systems. The DoD specifically requires cryptographic protection to prevent credential theft and meet CMMC Level 2 requirements. Without this control, your organization risks failing compliance audits, losing contracts, and becoming an easy target for credential-stuffing attacks (which account for 34% of all breaches, per Verizon DBIR).

✅ How to Implement

1. In AWS: Enable password hashing in Cognito or IAM using AWS KMS (Key Management Service) with AES-256 encryption.
2. In Azure: Configure Azure AD to store passwords using PBKDF2 hashing (Settings > Authentication Methods > Password Protection).
3. For cloud apps: Enforce HTTPS/TLS 1.2+ for all authentication traffic (e.g., configure ALB/ELB in AWS or Azure Front Door).
4. Use AWS Secrets Manager or Azure Key Vault to store service account passwords (never in plaintext config files).
5. Enable logging for password-related events (e.g., AWS CloudTrail for IAM or Azure AD audit logs).

⏱️

Estimated Effort

2-3 days for SMEs (e.g., sysadmins) to configure and test. Add 1 day for documentation. Cloud implementations may be faster (1 day) due to managed services.

📋 Evidence Examples

Password Policy Document

Format: PDF/Word

Frequency: Annual review

Contents: Explicit statement requiring cryptographic protection for stored/transmitted passwords, with approved algorithms listed (e.g., 'Passwords must be hashed with PBKDF2-HMAC-SHA256').

Collection: Export from policy management system or HR portal.

Active Directory Password Settings Screenshot

Format: PNG/JPEG

Frequency: After each change

Contents: GPO showing 'Store passwords using reversible encryption' set to Disabled.

Collection: Screenshot from Group Policy Management Console.

TLS Configuration Test Report

Format: PDF

Frequency: Quarterly

Contents: SSL Labs or Nessus scan showing TLS 1.2+ enforced on login pages.

Collection: Run scan at https://www.ssllabs.com/ssltest/.

Code Review for Password Handling

Format: PDF

Frequency: Per release

Contents: Excerpts showing password hashing implementation (e.g., 'bcrypt.hashpw()' in Python).

Collection: Static code analysis tool output or manual review.

Incident Response Log

Format: CSV

Frequency: Per incident

Contents: Records of investigations into plaintext password findings (e.g., '2023-05-01: Removed plaintext passwords from Jenkins config').

Collection: Export from ticketing system (Jira, ServiceNow).

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For IA.L2-3.5.10 ("Store and transmit only cryptographically-protected passwords"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how users, devices, and processes are identified and authenticated, including your IAM platform, password policies, MFA implementation, certificate management, and service account controls. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"IA.L2-3.5.10 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to store and transmit only cryptographically-protected passwords. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"IA.L2-3.5.10 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to store and transmit only cryptographically-protected passwords. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"IA.L2-3.5.10 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all authentication entry points (local login, VPN, cloud, API)
• Document the identity provider(s) and authentication flow
• Specify MFA methods and coverage
• Ensure this control covers all systems within your defined CUI boundary where store and transmit only cryptographically-protected passwords applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Identification and Authentication Policy
📄 Password policy configuration
📄 MFA enrollment records
📄 Service account registry
📄 Evidence artifacts specific to IA.L2-3.5.10
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will test authentication mechanisms, verify MFA is enforced for required access paths, check password policy configuration, and review service account documentation.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Are all passwords stored using FIPS 140-2 validated cryptographic hashes (e.g., PBKDF2, bcrypt)?

✅ YES → Proceed to Q2.

❌ NO → GAP: Implement password hashing in all systems. Start with critical systems (AD, databases) within 30 days.

Remediation:

Use Microsoft's NTLM or third-party libraries like libsodium for hashing.

Question 2: Is TLS 1.2 or higher enforced for all password transmissions?

✅ YES → Proceed to Q3.

❌ NO → GAP: Update web server/configs to disable TLS 1.0/1.1. Complete within 14 days.

Remediation:

Use Qualys SSL Test to identify weak protocols, then configure IIS/Apache/Nginx.

Question 3: Have you verified no systems store passwords in plaintext (including logs, configs, backups)?

✅ YES → Proceed to Q4.

❌ NO → GAP: Conduct a plaintext password scan using tools like TruffleHog. Remediate findings within 7 days.

Remediation:

Delete exposed passwords, rotate credentials, and update logging filters.

Question 4: Is there documented evidence of cryptographic controls for passwords?

✅ YES → Proceed to Q5.

❌ NO → GAP: Create a Password Protection Standard document. Draft within 10 days.

Remediation:

Use NIST SP 800-63B as a template for requirements.

Question 5: Have all IT staff received training on proper password handling?

✅ YES → COMPLIANT.

❌ NO → GAP: Schedule mandatory training within 21 days. Track completions.

Remediation:

Use CMMC AB-provided training modules or internal sessions.

⚠️ Common Mistakes (What Auditors Flag)

1. Plaintext passwords in application logs.

Why this happens: Debug logging includes raw authentication requests.

How to avoid: Configure log filters to redact passwords (e.g., log4j2: %replace{%msg}{'(password=)[^&]*'}{'$1*****'}).

2. Using deprecated hashing (MD5, SHA-1).

Why this happens: Legacy systems or default configurations.

How to avoid: Upgrade to PBKDF2, bcrypt, or Argon2. For AD, ensure 'Store passwords using reversible encryption' is disabled.

3. Missing TLS on internal password transmissions.

Why this happens: Assuming internal networks are safe.

How to avoid: Encrypt all LDAP, database, and API authentication traffic (e.g., use LDAPS instead of LDAP).

4. No evidence of cryptographic validation.

Why this happens: Focusing only on implementation, not documentation.

How to avoid: Save screenshots of hash settings and TLS configs during audits.

5. Service accounts with plaintext passwords in scripts.

Why this happens: Convenience over security.

How to avoid: Use credential vaults (AWS Secrets Manager, HashiCorp Vault) or managed identities.

📚 Parent Policy

This practice is governed by the Identification and Authentication Policy

View IA Policy →

📚 Related Controls

IA.L2-3.5.7 (Enforce password complexity) IA.L2-3.5.11 (Use MFA for all non-privileged accounts) SC.L2-3.13.11 (Employ FIPS-validated cryptography)