Reference: CMMC v2.13
Family: IA
Level Introduced: 2
Title: Password Reuse
Practice:
Prohibit password reuse for a specified number of generations.
Further Discussion:
Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.
Example
You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
Potential Assessment Considerations
• How many generations of password changes need to take place before a password can be reused [a]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.