We were intrigued by a comment we recently received from Brian Ruthrauff on our password policy blog with regard to storing CUI system credentials in password managers:
How to reconcile the use of a password manager with CMMC IA.L2-3.5.10? The control and NIST both say to only store passwords on the system with one-way encryption. Using a password manager would be storing a password with reversable encryption and then not meeting the requirement of IA.L2-3.5.10. [NIST 800-171 3.5.10]
A Closer Look at IA.L2-3.5.10
To answer this, let’s dive into CMMC IA.L2-3.5.10 (in NIST 800-171 this control number is 3.5.10) a little deeper. The control itself only says, “Store and transmit only cryptographically-protected passwords.”
But both the NIST 800-171 and CMMC guidance for this control emphasize “All passwords must be cryptographically protected using a one-way function for storage and transmission.” One-way “hashing” helps prevent against an adversary cracking a stolen password.
But password managers don’t store hashes of your passwords; instead they store your passwords encrypted with reversible encryption. Very strong encryption, but reversible nonetheless. Otherwise, you wouldn’t be able to retrieve your saved passwords to use for logins. So, is using a password manager to store passwords that allow access to your covered Controlled Unclassified Information (CUI) systems a violation of this control?
We assumed so, but our take is that the benefits of a password manager outweigh the risk of stolen but robustly-encrypted passwords. There are also several compensating controls built into any password manager worth its salt that further mitigate the risk:
passwords encrypted with AES-256 and stored on/retrieved from local device(s)
master password stored with hashed on local device(s) only
password manager vendor has no access to your master password, so all cloud backups of passwords are irretrievable without also convincing the user to give up the master
multifactor authentication on password manager
What Does the DoD Say about storing CUI credentials in password managers?
We went ahead and posed this question to the DoD CIO office, and here is their response:
"Using a password manager is not a violation of 3.5.10 (IA.2.081); they are an accepted means of cryptographically protecting passwords, assuming the password manager employs NIST-validated cryptography per NIST SP 800-171 requirement 3.13.11. Originally 3.5.10 was worded as ‘“Store and transmit only encrypted representation of passwords.” That caused some confusion (as some thought they had to traditionally encrypt passwords rather than hash the passwords), so in Revision 1, 3.5.10 was changed to “Store and transmit only cryptographically-protected passwords” -- so hashes were now addressed. When NIST added the ‘Discussion’ to each requirement in Revision 2, the explanation for 3.5.10 was a little terse “Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords” when what it meant is that when hashing, add a salt. The wording in the ‘Discussion’ for the related control (IA-5(1)) in 800-53r5 is “Cryptographically protected passwords include salted one-way cryptographic hashes of passwords” which doesn’t imply that cryptographic hashes are the only way to cryptographically-protect passwords."
So you can use a password manager as part of your covered system. Excellent!
We asked a follow-up question regarding FIPS-validated modules in these password managers, since we are storing passwords in these tools and not the CUI itself. We asked if FIPS-compliant algorithms were sufficient. Their response:
"The passwords that are being protected by the PW manager encryption are (presumably) being used to protect the confidentiality of the CUI that is being processed on the contractor’s information system...no, a NIST compliant algorithm would not be sufficient, since it may be improperly implemented in the cryptographic module (NIST has noted that a fairly significant number of modules fail when evaluated under FIPS 140-2/3)."
Conclusion
There you have your answer: you can store CUI system credentials in password managers to help protect CUI covered systems for DFARS 7012, NIST 800-171, and CMMC compliance, but the encryption in the password manager must be FIPS-validated. The FIPS-validation requirement may potentially blow a lot of commercial password managers out of the DoD contractor market space.
If you’ve found yourself attempting to navigate through the CMMC, NIST 800-171 or DFARS 7012 jungle, we know how daunting a task this is. Come join us in one of our workshops, where we discuss how your small business can meet cybersecurity requirements and ensure future business with the DoD!
