IA.L2-3.5.11

IA.L2-3.5.11: Obscure Feedback

Obscure authentication feedback to prevent information disclosure.

Obscure feedback is about what your authentication systems tell the user when authentication fails. If a login screen says “user not found,” an attacker learns that username doesn’t exist. If it says “invalid credentials,” they learn nothing useful. The attacker can’t enumerate valid usernames.

For most contractors using Windows or cloud authentication, this is handled automatically. The system says “invalid credentials” and that’s it. The failure usually comes from custom applications or legacy systems that reveal too much information. This practice completes the IA authentication controls alongside IA.L2-3.5.2 (user authentication) and IA.L2-3.5.3 (MFA), ensuring that authentication is both secure and doesn’t leak information to attackers.

Family Identification and Authentication
Practice IA.L2-3.5.11
Difficulty Easy
Key evidence Policy statement, screenshots of authentication error messages

What the assessor is actually evaluating

The assessor is checking that your authentication systems don’t reveal information that could help an attacker. They’ll ask about your login error messages. They might ask you to demonstrate what a failed login looks like. They want to see that the message is generic and doesn’t disclose whether the username exists, what happened to the password, or any other useful information.

For most modern systems, this is automatic. Windows says “the user name or password is incorrect.” Azure AD says “invalid credentials.” These are appropriately obscured. If you’re using a custom application, you need to think about what feedback it gives.

What a realistic SSP definition looks like

Example SSP Language: IA.L2-3.5.11

Practice IA.L2-3.5.11: Obscure Authentication Feedback

Authentication feedback does not reveal information that could assist an attacker in obtaining unauthorized access.

Standard Authentication Systems:

User authentication to Windows domain, Azure AD, and cloud services uses standard platform authentication. These platforms are configured to provide generic authentication failure messages. When authentication fails, the system displays “invalid credentials” or “login failed” without specifying whether the failure was due to an invalid username, invalid password, account locked, or other specific condition. This prevents attackers from determining which usernames exist in our environment.

VPN and Remote Access:

VPN authentication is provided by [VPN platform]. Authentication failures display a generic message indicating authentication was unsuccessful, without divulging the specific reason for the failure.

Web Applications and Custom Systems:

If custom web applications or legacy systems require authentication, they are configured to provide generic failure messages. Custom applications are reviewed during development and testing to ensure authentication error messages do not reveal sensitive information such as:

  • Whether a username is valid
  • Whether a password is correct (vs. username being invalid)
  • Account status (locked, disabled, expired, etc.)
  • Details about authentication mechanisms

Logging vs. Feedback:

While generic messages are displayed to users, detailed authentication failure information is logged on the back end for security monitoring and troubleshooting. This maintains security (generic feedback to users) while preserving operational capability (detailed logs for administrators).

This explains the principle and applies it to different systems. The assessor reads this and understands your approach.

How to present your evidence

Evidence checklist
  • Your SSP statement documenting authentication feedback approach
  • Screenshots of authentication error messages from your systems
  • Comparison showing generic feedback (not specific about username/password/account status)
  • Documentation of custom applications (if any) showing error message handling

Your evidence is simple:

  1. Your SSP statement (above). This is enough evidence by itself for most assessors.

  2. Screenshots of authentication error messages. Try logging in with a bad username and a bad password on your systems. What does each one say? If they both say “invalid credentials,” you’re good. If they differentiate, you have a problem.

  3. Documentation of custom applications (if any). If you have custom apps that require authentication, document how they handle error messages.

That’s all you need. This is quick to present.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What happens when someone tries to log in with an invalid username?"
"The system displays 'invalid credentials' or 'login failed.' It doesn't tell them whether the username exists or what's wrong with the authentication."
Q: "Can you show me what that looks like?"
Try logging in with a bad username on one of your systems or pull up a screenshot of the login screen showing the error message. "Here's what the error says. Generic, doesn't reveal anything specific."
Q: "Do you have any custom applications that might reveal more information?"
If you have custom apps, be honest. "We have [app name]. During development, we ensured its authentication messages don't reveal too much information." Or "we use standard platforms for authentication, so feedback is handled by the platform."

Common failures

Login screen says "user not found" for invalid usernames. This reveals whether a username exists. An attacker can enumerate valid usernames. Change this to "invalid credentials" or similar generic message.
Error messages reveal too much information. "Account is locked" (reveals account exists, is locked). "Password is incorrect" (reveals username is valid). "Your password has expired" (reveals valid username, account status). All of these are too specific.
Custom application or legacy system gives away information in error messages. If you built something custom, you may not have thought about this. Review it and fix if necessary.
All authentication errors display generic messages like "invalid credentials" or "authentication failed." Assessor can't trick any system into revealing whether a username is valid.
Your SSP explains the principle and standard systems handle it automatically. Assessor reads the statement and is satisfied you've thought about this.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP or MSSP

Your MSSP configures your authentication systems. Standard platforms like Windows, Azure AD, and most VPN solutions handle obscure feedback automatically. Your MSSP should have this set up correctly.

If you have custom applications, your MSSP should be aware of the authentication feedback they provide. If not, ask them to review them.

This is not usually a point of emphasis in MSSP relationships because it’s handled automatically by standard systems. If you’re worried, ask them directly.

Ask your MSSP: "Are there any authentication systems we use that might reveal information to attackers in error messages?" If they say "no, standard systems handle it automatically," you're fine. If they have to think about it or mention custom applications, ask them to review those.

This guidance is based on assessment room experience and reflects one practitioner’s interpretation of CMMC Level 2 requirements. It is not legal or compliance advice. Always consult your compliance team and official CMMC documentation for final guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IR.L2-3.6.1: Incident Handling All Practices IA.L2-3.5.10: Cryptographically-Protected Passwords →