NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.5.8 Prohibit password reuse for a specified number of generations.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance: N/A
CMMC Level(s): IA.L2-3.5.8
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-5(1)
NIST Supplemental Guidance:
N/A
Discussion:
Password lifetime restrictions do not apply to temporary passwords.
Upon assessment, assessors must determine if-
3.5.8[a] the number of generations during which a password cannot be reused is
specified.
3.5.8[b] reuse of passwords is prohibited during the specified number of generations.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
FURTHER DISCUSSION
Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.
Example
You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
Potential Assessment Considerations
How many generations of password changes need to take place before a password can be reused [a]?
Frameworks & Controls
3.5: Identification and Authentication
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.10 Store and transmit only cryptographically-protected passwords.