NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(18)Password Managers

Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see [IA-5(1)(d)](#ia-5.1_smt.d) ) and storing the collection offline in a token.

Practitioner Notes

This enhancement addresses the use of password managers — approved tools that help users create and store strong, unique passwords for each system.

Example 1: Deploy an enterprise password manager like 1Password Business or Keeper Enterprise to all employees so they can generate and store unique, complex passwords for each application.

Example 2: Configure your approved password manager to enforce master password requirements (minimum 16 characters, MFA enabled) and prohibit users from using unapproved password storage methods like browser auto-save or sticky notes.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts