IA.L2-3.5.11 — Obscure feedback of authentication information.
What this control requires
Obscure feedback of authentication information.
Source: CMMC L2 v2.13 IA.L2-3.5.11 / NIST SP 800-171 R2 3.5.11 (official control text).
Why this matters
When users enter passwords or other secrets, visible feedback creates shoulder-surfing opportunities where observers—coworkers, visitors, surveillance cameras, or screen-sharing mishaps—can capture credentials. This control mandates that authentication systems mask sensitive input so adversaries cannot harvest credentials through casual observation. The threat extends beyond physical proximity: unobscured passwords appear in screen recordings, remote desktop sessions, and presentation mode accidents. Proper obscuration prevents credential compromise from both intentional surveillance and inadvertent exposure, protecting the organization's authentication perimeter from low-effort observation attacks.
What evidence assessors expect
Assessors typically look for: screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IA.L2-3.5.11.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →