NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-5(7)No Embedded Unencrypted Static Authenticators

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators.

Practitioner Notes

This enhancement prohibits embedding unencrypted static passwords or credentials in applications, scripts, or configuration files — a common and dangerous practice.

Example 1: Scan your code repositories with GitLeaks or TruffleHog to detect hardcoded passwords, API keys, or connection strings, and move them to Azure Key Vault.

Example 2: Replace hardcoded database passwords in application config files with managed identity authentication (Azure) or IAM role-based authentication (AWS) that requires no static credentials.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts