• Requirement

    Store and transmit only cryptographically-protected passwords.

  • Discussion

    Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.

    See NIST Cryptographic Standards and Guidelines.

More Info

  • Title

    Cryptographically-Protected Passwords
  • Domain

    Identification and Authentication
  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

    • N/A

  • Further Discussion

    All passwords must be cryptographically protected using a one-way function for storage and transmission. This type of protection changes passwords into another form, or a hashed password. A one-way transformation makes it theoretically impossible to turn the hashed password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still facilitate offline cracking of hashes.


    You are responsible for managing passwords for your organization. You protect all passwords with a one-way transformation, or hashing, before storing them. Passwords are never transmitted across a network unencrypted [a,b].

    Potential Assessment Considerations

    • Are passwords prevented from being stored in reversible encryption form in any company systems [a]?
    • Are passwords stored as one-way hashes constructed from passwords [a]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!