NIST SP 800-171
Control 3.5.10
Store and Transmit Only Cryptographically-Protected Passwords
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Store and transmit only cryptographically-protected passwords.
What This Means in Plain English
Passwords must never be stored or sent in plain text. They must be hashed (for storage) and encrypted (during transmission). If someone accesses the password database, they should not be able to read the actual passwords.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory storing passwords using irreversible NTLM and Kerberos hashing
- Microsoft Entra ID using bcrypt hashing for cloud password storage
- TLS 1.2+ required for all authentication traffic including LDAPS for directory queries
- Reversible encryption disabled in Active Directory password settings
- Vault-based secret management for application passwords and API keys preventing plain-text storage
Assessment Guidance
Assessors will verify that reversible encryption is disabled in AD, check that all authentication traffic is encrypted (no LDAP without TLS), review application configurations for plain-text password storage, and test that credentials are not transmitted in cleartext.
Common Implementation Gaps
- Passwords stored in plain text in scripts or configuration files
- LDAP used without TLS (plain-text credential transmission)
- Reversible encryption enabled in Active Directory
- Applications storing passwords in clear text databases
- Credentials transmitted via unencrypted email or chat
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-5(1) |
| HIPAA | 164.312(d) - Person or Entity Authentication |
| PCI DSS | Req 8.2.1 - Render all authentication credentials unreadable during storage |
Need Help Implementing 3.5.10?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment