SPA Objectives - Password Manager: Difference between revisions
Created page in draft form |
Flushed out AOs for Password Managers |
||
| Line 5: | Line 5: | ||
== Assessment Objectives to Assess == | == Assessment Objectives to Assess == | ||
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS | IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b] | ||
SC.L2-3.13.10 - KEY MANAGEMENT | * Password manager will need to securely store the passwords [a] and securely transmit them [b]. | ||
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b] | |||
* Likely will be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs. | |||
SC.L2-3.13.10 - KEY MANAGEMENT [b] | |||
* May be used to manage cryptographic keys if password manager provides said functionality. | |||
== Assessment Objectives that Don't need to be Assessed == | |||
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d] | |||
* Password complexity is typically enforced on the system containing CUI. | |||
IA.L2-3.5.8 – PASSWORD REUSE [b] | |||
* Password reuse is typically enforced on the system containing CUI. | |||
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a] | |||
* Password manager wouldn't enforce temporary password changes on systems containing CUI, the system containing CUI would do the enforcement. | |||
Revision as of 20:41, 9 September 2025
When is a Password Manager an SPA?
When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.
When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.
Assessment Objectives to Assess
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]
- Password manager will need to securely store the passwords [a] and securely transmit them [b].
PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]
- Likely will be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.
SC.L2-3.13.10 - KEY MANAGEMENT [b]
- May be used to manage cryptographic keys if password manager provides said functionality.
Assessment Objectives that Don't need to be Assessed
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]
- Password complexity is typically enforced on the system containing CUI.
IA.L2-3.5.8 – PASSWORD REUSE [b]
- Password reuse is typically enforced on the system containing CUI.
IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]
- Password manager wouldn't enforce temporary password changes on systems containing CUI, the system containing CUI would do the enforcement.