IA.L2-3.5.10 · NIST SP 800-171 3.5.10

Cryptographically-protected Passwords

Store and transmit only cryptographically-protected passwords.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

IA.L2-3.5.10 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.passwords are cryptographically protected in storage
  • b.passwords are cryptographically protected in transit

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For IA.L2-3.5.10, an assessor uses these:

Examine

Identification and authentication policy; system security plan; procedures addressing authenticator management; procedures addressing user identification and authentication; system design documentation; list of system authenticator types; system configuration settings and associated documentation; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records

Interview

Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators

Test

Mechanisms supporting or implementing authenticator management capability

What it means, in context

Cryptographically-protected passwords use salted one- way cryp tographic hashes of passwords. See NIST Cryptographic Standards and Guidelines.

All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes. Example You are responsible for managing passwords for your organization. You protect all passwords with a one- way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b]. Potential Assessment Considerations • Are passwords prevented from being stored in reversible encryption form in any company systems [a]? • Are passwords stored as one-way hashes constructed from passwords [a]?

What passing evidence looks like

A note that passwords are stored and transmitted only in cryptographically protected form: platform hashing inherited from Entra or Google, TLS in transit, and no plaintext password files anywhere.

Common ways contractors fail IA.L2-3.5.10

  • !The five point failure mode is the passwords spreadsheet or passwords in email. A password manager for the team plus the inherited platform protection note answers this; hunt down and delete the plaintext stash first.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove IA.L2-3.5.10, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

IA.L2-3.5.10 questions, answered

How many points is CMMC requirement IA.L2-3.5.10 worth?+

IA.L2-3.5.10 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can IA.L2-3.5.10 be placed on a POA&M?+

No. IA.L2-3.5.10 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does IA.L2-3.5.10 belong to?+

IA.L2-3.5.10 is in the Identification & Authentication (IA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.5.10