IA.L2-3.5.10 — Store and transmit only cryptographically-protected passwords.
What this control requires
Store and transmit only cryptographically-protected passwords.
Source: CMMC L2 v2.13 IA.L2-3.5.10 / NIST SP 800-171 R2 3.5.10 (official control text).
Why this matters
Passwords stored in plaintext or transmitted unencrypted are trivial targets for attackers who gain system access, intercept network traffic, or breach databases. This control mandates that passwords never exist in readable form — they must be hashed with salt before storage and transmitted only over encrypted channels (TLS/HTTPS). This protects credentials even when backups are stolen, databases are compromised, or network traffic is captured. Failure here turns every password breach into a catastrophic authentication failure across systems where users reuse credentials.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IA.L2-3.5.10.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →