Navigate

IA-5(18)

IA-5(18): Password Managers

(a): Employ [password managers employed for generating and managing passwords are defined;] to generate and manage passwords; and

(b): Protect the passwords using [controls for protecting passwords are defined;].

Supplemental

For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see [IA-5(1)(d)](#ia-5.1_smt.d) ) and storing the collection offline in a token.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to IA-5(18).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of IA-5(18).

Control	Description
No controls

Related CCIs

The CCIs below are tied to IA-5(18).

CCI	Definition
CCI-004079	Employ organization-defined password managers to generate and manage passwords.
CCI-004080	Defines the password managers employed to generate and manage passwords.
CCI-004081	Protect the passwords using organization-defined controls.
CCI-004082	Defines the controls for protecting the passwords.