SPA Objectives - Password Manager: Difference between revisions
Flushed out AOs for Password Managers |
|||
| Line 11: | Line 11: | ||
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b] | PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b] | ||
* | * Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs. | ||
SC.L2-3.13.10 - KEY MANAGEMENT [b] | SC.L2-3.13.10 - KEY MANAGEMENT [b] | ||
| Line 17: | Line 17: | ||
* May be used to manage cryptographic keys if password manager provides said functionality. | * May be used to manage cryptographic keys if password manager provides said functionality. | ||
== Assessment Objectives that | == Assessment Objectives that won't likely be Assessed == | ||
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d] | IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d] | ||
* Password complexity is typically enforced on the system containing CUI. | * Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager. | ||
IA.L2-3.5.8 – PASSWORD REUSE [b] | IA.L2-3.5.8 – PASSWORD REUSE [b] | ||
* Password reuse is typically enforced on the system containing CUI. | * Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager. | ||
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a] | IA.L2-3.5.9 – TEMPORARY PASSWORDS [a] | ||
* | * Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager. | ||
Latest revision as of 14:47, 10 September 2025
When is a Password Manager an SPA?
When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.
When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.
Assessment Objectives to Assess
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]
- Password manager will need to securely store the passwords [a] and securely transmit them [b].
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]
- Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.
SC.L2-3.13.10 - KEY MANAGEMENT [b]
- May be used to manage cryptographic keys if password manager provides said functionality.
Assessment Objectives that won't likely be Assessed
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]
- Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager.
IA.L2-3.5.8 – PASSWORD REUSE [b]
- Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager.
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]
- Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager.