Mapped to NIST 800-171 Requirement: 3.5.1
CMMC Assessment Objective: IA.L2-3.5.1[c]
What This Objective Means
This control ensures that password protection is technically enforced, not just assumed. It applies to both:
• Passwords in transit (during login)
• Passwords at rest (when stored by the system)
You’re required to show that system configurations are in place to prevent passwords from being exposed, compromised, or stored insecurely.
Why It Matters
If passwords are not protected:
• They can be intercepted in plaintext
• Hashes can be easily cracked if weak algorithms are used
• Insider threats can extract credentials from system files
• Compromise of one system may lead to complete network exposure
Password enforcement without protection is a security gap waiting to be exploited.
How to Implement It
1. Encrypt Passwords in Transit
• Use secure protocols like HTTPS, LDAPS, SSH, or TLS for all authentication
• Disable legacy protocols (e.g., Telnet, FTP, HTTP) that transmit data in plaintext
2. Encrypt or Hash Passwords at Rest
• Ensure stored passwords are hashed using strong cryptographic algorithms (e.g., SHA-256 or bcrypt)
• Avoid reversible encryption or cleartext storage
3. Enforce Secure Authentication Practices
• Enable PAM modules or equivalent tools to enforce password protection on Linux systems
• Use system configurations (e.g., Windows security policies) to prevent password caching in plaintext
4. Restrict Access to Credential Stores
• Limit who can access system files where passwords or hashes are stored (e.g., SAM, /etc/shadow)
• Monitor access to these files regularly
5. Disable Unsecure Authentication Services
• Turn off unused or legacy authentication services that bypass modern password protections
Evidence the Assessor Will Look For
• Configuration files showing use of secure protocols
• Screenshots or exports from PAM, GPO, or authentication systems
• Access control settings on password storage files
• Encryption method details or password hashing policies
• Logs showing authentication events are encrypted and compliant
Common Gaps
• Passwords stored in plaintext or reversible encryption
• Legacy systems transmitting credentials unencrypted
• Default hashing algorithms not updated
• Insecure services still enabled (e.g., HTTP login portals)
How Cuick Trac Helps
Cuick Trac supports this control by:
• Requiring encryption for all password-based authentication methods
• Storing passwords using strong hash algorithms, never in cleartext
• Enforcing system settings that prevent password exposure or retrieval
• Automatically disabling weak or legacy authentication protocols
• Providing system audit logs that confirm password protection measures are in place
Cuick Trac ensures that even if passwords are used, they’re never left exposed.
Final CTA
Strong passwords are only as good as your protection of them.
Schedule a Cuick Trac demo to see how we enforce password security from storage to login.