CMMC Level 2
Control 3.5.8
Prohibit Password Reuse
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Prohibit password reuse for a specified number of generations.
What This Means in Plain English
Users must not be allowed to reuse old passwords. The system should remember a defined number of previous passwords and reject any attempt to reuse them.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory password history set to remember the last 24 passwords
- Microsoft Entra password protection enforcing password history in cloud environments
- Password policy documented and communicated to all users during onboarding
- Self-service password reset portal enforcing history checks before accepting new passwords
- ComplianceArmor tracking password policy compliance metrics
Assessment Guidance
Assessors will verify password history settings in Active Directory and Entra ID, test that previously used passwords are rejected, review the number of generations enforced, and check that history enforcement applies to all password change methods.
Common Implementation Gaps
- Password history not configured or set to zero
- Password history too low (fewer than 12 generations)
- Password reset methods that bypass history checks
- Local accounts not subject to the same password history policy
- Users making minimal changes to cycle through the history requirement
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-5(1) |
| PCI DSS | Req 8.2.5 - Do not allow submission of a new password that is the same as any of the last four |
Need Help Implementing 3.5.8?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment