IA.L2-3.5.8
-
Requirement
Prohibit password reuse for a specified number of generations.
-
Discussion
Password lifetime restrictions do not apply to temporary passwords.
-
Further Discussion
Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.
Example
You explain in your companyā€™s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
Potential Assessment Considerations
- How many generations of password changes need to take place before a password can be reused [a]?
NIST 800-171A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!