Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY IA

IA.L2-3.5.8

Password Reuse

Requirement

Prohibit password reuse for a specified number of generations.

Further discussion

Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated. Example You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b]. Potential Assessment Considerations • How many generations of password changes need to take place before a password can be reused [a]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/