SPA Objectives - Password Manager

From Cooey Wiki
Revision as of 14:47, 10 September 2025 by Uncouth (talk | contribs) (→‎Assessment Objectives to Assess)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

When is a Password Manager an SPA?

When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.

When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.

Assessment Objectives to Assess

IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]

  • Password manager will need to securely store the passwords [a] and securely transmit them [b].

PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]

  • Ensuring that access to passwords that grant access to sensitive information are protected during and after personnel actions is likely to be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.

SC.L2-3.13.10 - KEY MANAGEMENT [b]

  • May be used to manage cryptographic keys if password manager provides said functionality.

Assessment Objectives that won't likely be Assessed

IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]

  • Password complexity is typically enforced on the system containing CUI or its identity provider, not the password manager.

IA.L2-3.5.8 – PASSWORD REUSE [b]

  • Password reuse is typically enforced on the system containing CUI or its identity provider, not the password manager.

IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]

  • Temporary passwords are typically enforced on the system containing CUI or its identity provider, not the password manager.
Retrieved from "https://cooey.wiki/index.php?title=SPA_Objectives_-_Password_Manager&oldid=145"