CMMC Level 2
Control 3.5.5
Prevent Reuse of Identifiers
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Prevent reuse of identifiers for a defined period.
What This Means in Plain English
When an employee leaves and their account is disabled, that username should not be reassigned to a new employee for a defined period. This prevents confusion in audit logs and access records.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory policy prohibiting reuse of usernames for a minimum of two years after account deletion
- Unique employee ID numbers linked to accounts that are never recycled
- Terminated user accounts disabled immediately and retained in a disabled state for the retention period
- ComplianceArmor tracking account lifecycle from creation through deletion
- Naming convention including unique elements preventing accidental reuse
Assessment Guidance
Assessors will review the identifier reuse policy, verify that disabled accounts are retained for the defined period, check that usernames are not reassigned to new users prematurely, and review account lifecycle documentation.
Common Implementation Gaps
- No policy on identifier reuse periods
- Usernames reassigned immediately when employees leave
- Terminated accounts deleted immediately rather than retained
- No tracking of account lifecycle events
- Generic identifiers (admin1, user1) reused across individuals
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-4 |
| PCI DSS | Req 8.1.1 - Assign unique ID to each person |
Need Help Implementing 3.5.5?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment