SPA Objectives - Password Manager: Difference between revisions
Created page in draft form |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 5: | Line 5: | ||
== Assessment Objectives to Assess == | == Assessment Objectives to Assess == | ||
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS | IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b] | ||
SC.L2-3.13.10 - KEY MANAGEMENT | * Password manager will need to securely store the passwords [a] and securely transmit them [b]. | ||
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b] | |||
* Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs. | |||
SC.L2-3.13.10 - KEY MANAGEMENT [b] | |||
* May be used to manage cryptographic keys if password manager provides said functionality. | |||
== Assessment Objectives that won't likely be Assessed == | |||
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d] | |||
* Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager. | |||
IA.L2-3.5.8 – PASSWORD REUSE [b] | |||
* Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager. | |||
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a] | |||
* Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager. | |||
Latest revision as of 14:47, 10 September 2025
When is a Password Manager an SPA?
When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.
When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.
Assessment Objectives to Assess
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]
- Password manager will need to securely store the passwords [a] and securely transmit them [b].
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]
- Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.
SC.L2-3.13.10 - KEY MANAGEMENT [b]
- May be used to manage cryptographic keys if password manager provides said functionality.
Assessment Objectives that won't likely be Assessed
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]
- Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager.
IA.L2-3.5.8 – PASSWORD REUSE [b]
- Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager.
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]
- Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager.