CMMC Practice IA.L2-3.5.5 – Identifier Reuse: Prevent the reuse of identifiers for a defined period.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This document from Identity Automation provides organizations with a step by step process to follow for creating and maintaining usernames. This article provides guidance for the Identification and Authorization (IA) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice. This special publication from NIST provides an overview of Identifier Management. This is an example of an identification and authentication policy for Texas A&M In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Let’s talk about NIST 800-171 Control 3.5.5 Prevent reuse of identifiers for a defined period
Discussion [NIST SP 800-171 R2]
Identifiers are provided for users, processes acting on behalf of users, or devices (IA.L1-3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
Further Discussion
Identifiers uniquely associate a user ID to an individual, group, role, or device. Establish guidelines and implement mechanisms to prevent identifiers from being reused for the period of time established in the policy.