The application server must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

An XCCDF Rule