STIG V-69567 finding application must only store cryptographic representations of passwords

We manage and operate Nexus service in a federal environment. Recent STIG audit found vulnerability regarding our use of local Nexus users. We are looking for evidence to support the finding is invalid as the application doesn’t store passwords in plain text fashion. Trying to resolve the finding: The application must only store cryptographic representations of passwords..

Any product support documentation or other validating documentation is appreciated.