IA.L2-3.5.8 Password Reuse - DIB SCC CyberAssist

CMMC Requirement IA.L2-3.5.8 – Password Reuse: Prohibit password reuse for a specified number of generations.

Links to Publicly Available Resources

Amazon Web Services – Operational Best Practices for CMMC 2.0 Level 2
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules.
CIRT.net – Default Password Database
Consolidation of default passwords for commercial software and hardware products.
CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
SANS – Password Construction Guidelines
This SANS guideline provides best practices for creating secure passwords.
SANS – Password Protection Policy
This is a sample password protection policy from SANS.
SANS Whitepaper – Vendor-Supplied Backdoor Passwords – A Continuing Vulnerability
This SANS whitepaper discusses vendor-supplied passwords that are embedded in software/hardware.
US-CERT – Risks of Default Passwords on the Internet
US-CERT alert that reviews the risk associated with default passwords on internet-connected systems.
YouTube – NIST SP 800-171 Control 3.5.8 Prohibit password reuse for a specified number of generations
In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we focus on how Password lifetime restrictions do not apply to temporary passwords. Let’s talk about NIST 800-171 Control 3.5.8 Prohibit password reuse for a specified number of generations.

Discussion [NIST SP 800-171 R2]
Password lifetime restrictions do not apply to temporary passwords.

Further Discussion
Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.