To answer this, let’s dive into CMMC IA.L2-3.5.10 (in NIST 800-171 this control number is 3.5.10) a little deeper. The control itself only says, “Store and transmit only cryptographically-protected passwords.”
But both the NIST 800-171 and CMMC guidance for this control emphasize “All passwords must be cryptographically protected using a one-way function for storage and transmission.” One-way “hashing” helps prevent against an adversary cracking a stolen password.
But password managers don’t store hashes of your passwords; instead they store your passwords encrypted with reversible encryption. Very strong encryption, but reversible nonetheless. Otherwise, you wouldn’t be able to retrieve your saved passwords to use for logins. So, is using a password manager to store passwords that allow access to your covered Controlled Unclassified Information (CUI) systems a violation of this control?
We assumed so, but our take is that the benefits of a password manager outweigh the risk of stolen but robustly-encrypted passwords. There are also several compensating controls built into any password manager worth its salt that further mitigate the risk:
passwords encrypted with AES-256 and stored on/retrieved from local device(s)
master password stored with hashed on local device(s) only
password manager vendor has no access to your master password, so all cloud backups of passwords are irretrievable without also convincing the user to give up the master
multifactor authentication on password manager
What Does the DoD Say about storing CUI credentials in password managers?
We went ahead and posed this question to the DoD CIO office, and here is their response:
So you can use a password manager as part of your covered system. Excellent!
We asked a follow-up question regarding FIPS-validated modules in these password managers, since we are storing passwords in these tools and not the CUI itself. We asked if FIPS-compliant algorithms were sufficient. Their response:
There you have your answer: you can store CUI system credentials in password managers to help protect CUI covered systems for DFARS 7012, NIST 800-171, and CMMC compliance, but the encryption in the password manager must be FIPS-validated. The FIPS-validation requirement may potentially blow a lot of commercial password managers out of the DoD contractor market space.
If you’ve found yourself attempting to navigate through the CMMC, NIST 800-171 or DFARS 7012 jungle, we know how daunting a task this is. Come join us in one of our workshops, where we discuss how your small business can meet cybersecurity requirements and ensure future business with the DoD!