CMMC Practice IA.L2-3.5.8

Prohibit password reuse for a specified number of generations.

Bold Coast Security Guidance

You will probably define a policy requiring users to change their password every so often. This particular practice dis-allows reuse of passwords, usually set to 10 past passwords. The system will remember those 10 previous password hashes and make sure the user does no reuse an old password. It is interesting that the "Discussion" for the practice states the requirement does not apply to temporary passwords. We strongly suggest using unique temporary passwords which meet your complexity requirements. Accounts are often created for new employees ahead of time, and when those new hires do not show up for their first day for whatever reason, you have an account on your network for which everyone knows the password!
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Password lifetime restrictions do not apply to temporary passwords.

References