3.5.11

Requirement

Obscure feedback of authentication information during the authentication process.

Discussion

Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook systems with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means of obscuring authenticator feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: identification and authentication policy and procedures; procedures for authenticator feedback; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for supporting or implementing the obscuring of feedback of authentication information during authentication]
Test

[SELECT FROM: personnel with information security responsibilities; system developers; system administrators]

ID	Assessment Objectives
A.03.05.11	feedback of authentication information during the authentication process is obscured.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!