NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.5.8 Prohibit password reuse for a specified number of generations.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
IA.L2-3.5.8
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-5(1)
NIST Supplemental Guidance:
N/A
Discussion:
Password lifetime restrictions do not apply to temporary passwords.
Upon assessment, assessors must determine if-
3.5.8[a] the number of generations during which a password cannot be reused is
specified.
3.5.8[b] reuse of passwords is prohibited during the specified number of generations.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].