3.5.10 has a weight of -5 points
(Identification and Authentication Family) 10/11
Store and transmit only cryptographically-protected passwords.
Video:
Example of Sysytem Security Plan (SSP):
Example of Plan of Action and Milestones ( POA & M):
Plan of Actions and Milestones (POA&M) for Cryptographically Protected Password Storage and Transmission
1. Introduction
This POA&M identifies the action items required to implement, maintain, and enhance the cryptographic protection of password storage and transmission as outlined in the System Security Plan (SSP).
2. Access Control and User Authentication
a. Active Directory Domain Services (ADDS) Integration – Action: Implement integration with ADDS for user authentication and authorization. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
b. Accounting System Encryption – Action: Configure and test encryption for accounting system user access. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
3. Cryptographic Controls
a. Password Storage – Action: Implement strong cryptographic methods for password storage. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
b. Password Transmission – Action: Encrypt all passwords transmitted across the network. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
c. Key Management – Action: Develop and implement key management procedures. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
4. Monitoring and Continuous Improvement
a. Regular Audits and Reviews – Action: Conduct regular audits and reviews of cryptographic controls. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
b. Incident Response Planning – Action: Develop an incident response plan for cryptographic control failures. – Deadline: [Date] – Status: In Progress / Completed – Responsible Party: [Name/Team]
RELEVANT INFORMATION:
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.