Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.10 – Store and transmit only cryptographically protected passwords.
Understanding the Requirement
This control requires that passwords never be kept or sent in clear text: they must be stored using cryptographic protections (one-way hashes using modern key‑derivation functions) and transmitted only over encrypted channels. For small and medium businesses following NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, the practical objective is twofold: ensure stored credentials are resistant to offline attacks, and ensure credentials are protected while moving across the network so an attacker cannot capture them in transit.
Technical Implementation
-
Inventory your authentication stores and services. Identify all systems that persist or forward passwords (directory services, applications, databases, backup files, third‑party SaaS connectors). Document how each stores passwords (one‑way hash, reversible encryption, plaintext). Prioritize remediation where passwords are stored reversibly or in plaintext.
-
Use modern one‑way hashing/KDFs for stored passwords. For in‑house apps or systems you control, replace weak hashing (MD5, SHA1, unsalted SHA256) with a purpose-built KDF such as bcrypt, scrypt, or Argon2, or PBKDF2 with high iteration counts. Ensure each password has a unique salt and sufficient work factor so offline cracking is expensive for an attacker.
-
Ensure password transmission is encrypted. Require TLS 1.2+ (preferably 1.3) for all authentication traffic: web logins, API calls, LDAP binds (use LDAP over TLS/LDAPS or StartTLS), SMTP AUTH, RDP, and any client-server authentication. Disable legacy protocols (SSLv3, TLS 1.0/1.1) and weak ciphers on servers and appliances.
-
Prevent accidental leakage of secrets. Do not log passwords or include them in error messages, emails, or configuration files in plaintext. Encrypt backups, exports, and configuration repositories that may contain credentials or hashed credentials. Use secure flags for session cookies and mark authentication cookies as HttpOnly and Secure.
-
Limit the systems that handle raw passwords. Where possible, implement federated SSO or delegated authentication (OAuth, SAML, OpenID Connect) so applications do not directly store or process user passwords. For SMBs that use directory services (e.g., Active Directory), confirm directory replication and transport use secure channels and follow vendor hardening guidance.
-
Verify and test your controls. Perform regular checks: review password storage configurations, scan services to ensure TLS is enforced (test cipher suites and protocol versions), and do targeted packet captures in a lab to confirm credentials aren’t sent in the clear. Include these checks in change control and patch cycles.
Example in a Small or Medium Business
Acme Design is a 60‑person SMB using an on‑premises Active Directory domain controller and several internal web apps. The IT lead first inventories all places passwords live — AD, an internal helpdesk app, a legacy payroll system, and backups. They confirm Active Directory stores credentials as one‑way hashes by default and enable LDAPS (LDAP over TLS) so directory queries and binds are encrypted. For the helpdesk and payroll apps that previously stored hashed passwords with weak settings, the team replaces the storage mechanism with bcrypt and adds unique salts to each account. They also configure all web applications to use HTTPS only, disable TLS 1.0/1.1 on servers, and enforce secure cookie flags. Backups containing credential data are encrypted with full‑disk encryption and access is limited to a small number of administrators. Finally, Acme documents these changes, schedules quarterly tests to verify TLS enforcement and hashing parameters, and moves toward an SSO solution so fewer systems need to store passwords directly.
Summary
By inventorying credential stores, applying strong one‑way hashing/KDFs with unique salts, encrypting all authentication traffic with modern TLS, and reducing the number of systems that handle raw passwords, SMBs can satisfy IA.L2-3.5.10. These policy and technical measures together protect passwords from offline cracking if a database is breached, and stop attackers from capturing credentials in transit — closing the two primary attack paths this control is designed to mitigate.
