IA.L2-3.5.8

  • Requirement

    Prohibit password reuse for a specified number of generations.

  • Discussion

    Password lifetime restrictions do not apply to temporary passwords.

More Info

  • Title

    Password Reuse
  • Domain

    Identification and Authentication
  • CMMC Level

    2
  • Related NIST 800-171 ID

  • Related NIST 800-53 ID

    IA-5(1)

  • DoD Scoring Methodology Points

    1

  • Reference Documents

    • N/A

  • Further Discussion

    Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.

    Example

    You explain in your companyā€™s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].

    Potential Assessment Considerations

    • How many generations of password changes need to take place before a password can be reused [a]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!