GRCWatch
Sign inStart free trial

IA.L2-3.5.8 Password Reuse: CMMC Level 2 Compliance

Password reuse is a critical vulnerability that exposes organizations to credential compromise attacks. IA.L2-3.5.8 requires you to prevent users from cycling through old passwords, forcing stronger password changes across generations. Failing this control increases breach risk and jeopardizes CMMC certification.

What this means

This control mandates that systems prohibit users from reusing passwords within a specified number of previous generations. For example, a system configured with a password history of 5 generations prevents a user from reusing any of their last 5 passwords. This forces users to create genuinely new passwords rather than rotating through predictable sequences, significantly reducing the risk of compromised credential reuse.

How to comply

  1. 1.Identify all systems where users authenticate (Active Directory, applications, databases, remote access platforms)
  2. 2.Configure password history requirements—typically 5-24 previous generations depending on risk tolerance
  3. 3.Document your organization's password history policy (number of generations enforced)
  4. 4.Test the restriction by attempting to reuse recent passwords and verify rejection
  5. 5.Enable logging and monitoring to track password change events and policy violations
  6. 6.Communicate the policy to users and update onboarding documentation
  7. 7.Perform quarterly audits to confirm password reuse restrictions remain active across all systems

Evidence auditors look for

  • Screenshots of Active Directory password policy settings showing password history enforcement (e.g., 'Enforce password history: 5 passwords remembered')
  • Configuration export from authentication systems showing password reuse prevention settings
  • System logs documenting rejected password reuse attempts with timestamps
  • Policy documentation defining the number of password generations required
  • User awareness training materials covering password change requirements
  • Audit reports confirming password history settings across enterprise systems
  • Change management records showing when password reuse controls were implemented

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically inventories your authentication systems, detects password history configurations across all platforms, and flags accounts where reuse restrictions aren't enforced—eliminating manual audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

IA.L2-3.5.1 (Password Strength)IA.L2-3.5.2 (Password Change)IA.L2-3.5.3 (Session Lock)IA.L2-3.5.5 (Account Lockout)