What does IA.L2-3.5.10 require for CMMC Level 2?

Passwords must be protected cryptographically when stored (using approved hash algorithms) and when transmitted (using encrypted protocols like HTTPS or TLS). Plain text passwords in files or unencrypted transmission is not acceptable.

What evidence do I need for IA.L2-3.5.10?

Documentation of your password storage and transmission methods, configuration showing HTTPS/TLS is used for authentication, Active Directory or identity provider documentation showing password hashing is used, credential vault documentation.

What's the most common failure for IA.L2-3.5.10?

Passwords stored in plain text in files, shared documents, or spreadsheets. Passwords transmitted over unencrypted connections. Legacy systems that use weak hashing or transmission methods.

IA.L2-3.5.10

IA.L2-3.5.10: Cryptographically-Protected Passwords

Store and transmit passwords using approved cryptographic methods.

Updated March 30, 2026

Passwords must be protected at rest and in transit. At rest, they should be hashed using approved algorithms. In transit, they should be encrypted using TLS or similar. This is mostly handled automatically by modern systems. Windows hashes passwords. Cloud providers use approved methods. The failure usually comes from legacy applications or manual password storage (spreadsheets, documents).

The assessor wants to hear that you’re not storing passwords in plain text and that you’re using TLS or HTTPS for authentication traffic. For most contractors, this is straightforward. This practice works with IA.L2-3.5.7 (complexity) and IA.L2-3.5.8 (reuse restrictions) to provide defense in depth for password security.

Family Identification and Authentication

Practice IA.L2-3.5.10

Difficulty Medium

Key evidence System documentation, network configuration, credential vault documentation

What the assessor is actually evaluating

The assessor is checking two things. One: how do you store passwords? Are they hashed? Are they in a secure vault? Are they ever stored in plain text? Two: how are passwords transmitted when users authenticate? Are connections encrypted?

For passwords stored in systems like Active Directory or Azure AD, the assessor knows these use approved hashing. They won’t push on this. For passwords stored in credential vaults, they want to know the vault uses encryption. For passwords in custom applications, they want to see that hashing is used.

For transmission, they want to see HTTPS or TLS for all authentication. No HTTP, no unencrypted protocols.

What a realistic SSP definition looks like

Example SSP Language: IA.L2-3.5.10

Practice IA.L2-3.5.10: Cryptographically-Protected Passwords

Passwords are protected using approved cryptographic methods both when stored and when transmitted.

Password Storage at Rest:

User passwords in Active Directory are stored using NTLM and Kerberos hashing. These are built-in Windows security methods that hash passwords rather than storing them in plain text. No user passwords are stored in plain text anywhere in our systems.

Cloud-based passwords in Azure AD are hashed using Azure AD’s built-in password hashing mechanisms, which use industry-standard algorithms.

Service account credentials are stored in [credential vault solution] which encrypts all stored credentials at rest using [encryption method / built-in encryption]. Credentials are never stored in plain text files, spreadsheets, or documents.

Legacy application passwords (if any) are stored in the [credential vault] and are protected with encryption. Applications authenticate to the vault using separate service account credentials that are also encrypted.

Password Transmission in Transit:

All authentication traffic to systems containing CUI is encrypted using TLS or HTTPS. This includes:

Network logons use Kerberos over encrypted domain connections
Remote access via VPN uses TLS encryption
Cloud access via web uses HTTPS with TLS
Email and web applications use HTTPS
API access uses HTTPS with TLS

All authentication endpoints are configured to require HTTPS or TLS. HTTP without encryption is not permitted for any authentication functionality.

Insecure Transmission Prevention:

We do not:

Transmit passwords via email
Use unencrypted protocols (HTTP, telnet, etc.) for authentication
Send passwords through chat or messaging applications
Store passwords in shared documents or spreadsheets

Credential Vault Administration:

Our credential vault is administered by [IT manager / MSSP]. Access to the vault is restricted to authorized personnel only. Vault contents are audited quarterly to ensure only needed credentials are stored.

This is thorough and specific. The assessor reads this and knows you’re using approved methods for storage and transmission.

How to present your evidence

Evidence checklist

System documentation stating password hashing methods (NTLM/Kerberos, Azure hashing, etc.)
Network configuration showing TLS/HTTPS is enforced for authentication
Credential vault documentation and encryption method
Policy statement documenting no plain-text password storage or transmission

Your evidence includes:

System documentation stating password hashing methods. For Active Directory, document that Windows uses NTLM/Kerberos hashing. For cloud, Azure AD documentation. For custom applications, documentation showing the hashing algorithm used.
Network configuration showing TLS/HTTPS is enforced. Screenshots of your VPN requiring TLS. Web application configuration showing HTTPS is required. Domain controller configuration showing Kerberos is used.
Credential vault documentation. If you store service account credentials in a vault, show the vault is encrypted and document the encryption method.
Policy statement. Your SSP statement (above) is evidence by itself.
Configuration audit. Show that HTTP redirects to HTTPS, unencrypted protocols are disabled, etc.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "How are passwords stored in your system?"

"User passwords in Active Directory are hashed using Windows security methods, not stored in plain text. Service account passwords are stored in our credential vault which encrypts them. Passwords are never stored unencrypted anywhere."

Q: "How are passwords transmitted when users authenticate?"

"All authentication uses encrypted channels. Domain logons use Kerberos. Remote access uses VPN with TLS. Cloud access uses HTTPS. Everything is encrypted in transit."

Q: "Can you show me your credential vault or how service passwords are protected?"

If you have a credential vault, pull it up. "This is our [vault name]. It encrypts all stored credentials. Only [authorized people] have access." If you don't have a vault and use a different method, explain it.

Common failures

Service account passwords are stored in a spreadsheet or document. This is the most common failure. "We keep a list of service accounts and their passwords in a shared spreadsheet." That's plain text storage. Get a credential vault immediately.

Passwords are transmitted via email or unencrypted protocols. "We email temporary passwords." Or "some legacy applications use unencrypted connections." Either fix the application or get a vault to manage it securely.

You're not sure how passwords are stored or transmitted. "I think Active Directory hashes them" is not confident. Know your systems. Know that Windows hashes, Azure hashes, and that TLS encrypts transmission.

Passwords are clearly hashed in systems that support it, encrypted in vaults where needed, and all transmission is encrypted. You can confidently say "no plain text storage, all transmission is encrypted."

Legacy applications that can't be upgraded are documented with a compensating control. "This legacy app doesn't support HTTPS, so we access it only through a secured tunnel." Or stored in a vault instead of exposed.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP or MSSP

Your MSSP should be handling credential storage and transmission security. They configure your systems to use TLS, set up credential vaults, and ensure service accounts are managed securely.

Ask your MSSP: “How are service account passwords stored and transmitted securely in our environment?” They should describe their credential vault or secure management method. If they don’t have one, ask why.

In the assessment, the MSSP can explain their credential management approach and show the vault if needed. The contractor can speak to the policy.

Before the assessment, ask your MSSP to demonstrate their credential vault and explain how it protects stored credentials. This should take 10 minutes. If they don't have a clear answer, push back.

This guidance is based on assessment room experience and reflects one practitioner’s interpretation of CMMC Level 2 requirements. It is not legal or compliance advice. Always consult your compliance team and official CMMC documentation for final guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IA.L2-3.5.11: Obscure Feedback All Practices IA.L2-3.5.9: Temporary Passwords →