Skip to main content

IAC-10.11: Password Managers

IAC 8 — High Protect

Mechanisms exist to protect and store passwords via a password manager tool.

Control Question: Does the organization protect and store passwords via a password manager tool?

General (11)
Framework Mapping Values
CSA CCM 4 IAM-02 IAM-15
ISO 27002 2022 5.17 5.18
NIST 800-53 R5 (source) IA-5(18)
NIST 800-53 R5 (NOC) (source) IA-5(18)
NIST 800-171 R3 (source) 03.05.07.a 03.05.07.b 03.05.07.c 03.05.07.d 03.05.07.f
NIST 800-171A R3 (source) A.03.05.07.ODP[01] A.03.05.07.a[01] A.03.05.07.a[02] A.03.05.07.a[03] A.03.05.07.b
NIST 800-172 3.5.2e
SWIFT CSF 2023 5.4
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-10.11
SCF CORE ESP Level 2 Critical Infrastructure IAC-10.11
SCF CORE ESP Level 3 Advanced Threats IAC-10.11
US (2)
Framework Mapping Values
US CISA CPG 2022 2.L
US DHS CISA TIC 3.0 3.PEP.ID.SMANA
EMEA (5)
Framework Mapping Values
EMEA Saudi Arabia CSCC-1 2019 2-2-1-6
EMEA Saudi Arabia OTCC-1 2022 2-2-1-9
EMEA Saudi Arabia SACS-002 TPC-3
EMEA Spain CCN-STIC 825 7.2.5 [OP.ACC.5]
EMEA UK DEFSTAN 05-138 2212
APAC (1)
Framework Mapping Values
APAC New Zealand NZISM 3.6 14.3.13.C.01 14.3.13.C.02 14.3.13.C.03
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.05.07.A 03.05.07.B 03.05.07.C 03.05.07.D 03.05.07.F

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to protect and store passwords via a password manager tool.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
  • Password managers are not governed.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • Password managers are provided, but decentralized and not actively governed.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
  • Centrally-managed password managers are provided.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to protect and store passwords via a password manager tool.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to protect and store passwords via a password manager tool.

Assessment Objectives

  1. IAC-10.11_A01 password managers employed for generating and managing passwords are defined.
  2. IAC-10.11_A02 password managers are employed to generate and manage passwords.
  3. IAC-10.11_A03 systems and system components that do not support multifactor authentication or complex account management are identified.
  4. IAC-10.11_A04 automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are identified.
  5. IAC-10.11_A05 automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are employed.
  6. IAC-10.11_A06 controls for protecting passwords are defined.
  7. IAC-10.11_A07 the passwords are protected using controls.
  8. IAC-10.11_A08 the frequency at which to update the list of commonly used, expected, or compromised passwords is defined.
  9. IAC-10.11_A09 a list of commonly used, expected, or compromised passwords is maintained.
  10. IAC-10.11_A10 a list of commonly used, expected, or compromised passwords is updated per an organization-defined frequency.
  11. IAC-10.11_A11 a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.
  12. IAC-10.11_A12 passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.
  13. IAC-10.11_A13 a list of commonly used, expected, or compromised passwords is updated <A.03.05.07.ODP[01]: frequency>.

Technology Recommendations

Micro/Small

  • Keeper (https://keepersecurity.com)
  • LastPass (https://lastpass.com
  • 1Password (https://1password.com)

Small

  • Keeper (https://keepersecurity.com)
  • LastPass (https://lastpass.com
  • 1Password (https://1password.com)

Medium

  • Keeper (https://keepersecurity.com)
  • LastPass (https://lastpass.com
  • 1Password (https://1password.com)
  • Delinea Secret Server (https://delinea.com)
  • ManageEngine Enterprise Password Management (https://manageengine.com)
  • Securden (https://securden.com)
  • CyberArk (https://cyberark.com)

Large

  • Keeper (https://keepersecurity.com)
  • LastPass (https://lastpass.com
  • 1Password (https://1password.com)
  • Delinea Secret Server (https://delinea.com)
  • ManageEngine Enterprise Password Management (https://manageengine.com)
  • Securden (https://securden.com)
  • CyberArk (https://cyberark.com)

Enterprise

  • Keeper (https://keepersecurity.com)
  • LastPass (https://lastpass.com
  • 1Password (https://1password.com)
  • Delinea Secret Server (https://delinea.com)
  • ManageEngine Enterprise Password Management (https://manageengine.com)
  • Securden (https://securden.com)
  • CyberArk (https://cyberark.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free