We thoroughly check each answer to a question to provide you with the most correct answers. Found a mistake? Tell us about it through the REPORT button at the bottom of the page. Ctrl+F (Cmd+F) will help you a lot when searching through such a large set of questions.
Answer: CUI may be stored on any password-protected system.
Sensitive information may be stored on any password-protected system is true.
The benefits of a password manager outweigh the risk of stolen but robustly-encrypted passwords.
“Using a password manager is not a violation of 3.5.10 (IA.2.081); they are an accepted means of cryptographically protecting passwords, assuming the password manager employs NIST-validated cryptography per NIST SP 800-171 requirement 3.13.11. Originally 3.5.10 was worded as ‘“Store and transmit only encrypted representation of passwords.” That caused some confusion (as some thought they had to traditionally encrypt passwords rather than hash the passwords), so in Revision 1, 3.5.10 was changed to “Store and transmit only cryptographically-protected passwords” — so hashes were now addressed. When NIST added the ‘Discussion’ to each requirement in Revision 2, the explanation for 3.5.10 was a little terse “Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords” when what it meant is that when hashing, add a salt. The wording in the ‘Discussion’ for the related control (IA-5(1)) in 800-53r5 is “Cryptographically protected passwords include salted one-way cryptographic hashes of passwords” which doesn’t imply that cryptographic hashes are the only way to cryptographically-protect passwords.”
So you can use a password manager as part of your covered system. Excellent!
