Obscure Feedback
Obscure feedback of authentication information.
What an assessor scores, the objectives
IA.L2-3.5.11 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.authentication information is obscured during the authentication process
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For IA.L2-3.5.11, an assessor uses these:
Identification and authentication policy; procedures addressing authenticator feedback; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records
Personnel with information security responsibilities; system or network administrators; system developers
Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication
What it means, in context
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.
Authentication information includes passwords. When users enter a password, the system displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices may briefly show characters before obscuring). Example As a system administrator, you configure your systems to display an asterisk when users enter their passwords into a computer system [a]. For mobile devices, the password characters are briefly displayed to the user before being obscured. This prevents people from figuring out passwords by looking over someone’s shoulder. Potential Assessment Considerations • Is the feedback immediately obscured when the authentication is presented on a larger display (e.g., desktop or notebook computers with relatively large monitors) [a]?
What passing evidence looks like
The masked password field, everyone has seen it: a note that all sign in surfaces obscure feedback, with one screenshot of a masked prompt.
Common ways contractors fail IA.L2-3.5.11
- !Effectively inherited from every modern OS and browser. The only way to fail is a homegrown app that echoes passwords, if you have internal tools, check them.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove IA.L2-3.5.11, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
IA.L2-3.5.11 questions, answered
How many points is CMMC requirement IA.L2-3.5.11 worth?+
IA.L2-3.5.11 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can IA.L2-3.5.11 be placed on a POA&M?+
Yes. A gap on IA.L2-3.5.11 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does IA.L2-3.5.11 belong to?+
IA.L2-3.5.11 is in the Identification & Authentication (IA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.5.11