NIST SP 800-171
Control 3.5.7
Enforce Password Complexity and Change Requirements
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Enforce a minimum password complexity and change of characters when new passwords are created.
What This Means in Plain English
Passwords must meet minimum complexity requirements including length, character types, and must differ significantly from previous passwords. Weak passwords are the most common way attackers gain initial access.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory password policy enforcing 14+ character minimum with complexity requirements
- Microsoft Entra password protection blocking common and breached passwords
- Custom banned password list including company-specific terms
- Password history enforcement preventing reuse of the last 24 passwords
- ComplianceArmor documenting the password policy and requirements
Assessment Guidance
Assessors will review password policy settings in Active Directory and Entra ID, verify that complexity requirements are enforced technically, check that common passwords are blocked, and test that new passwords must differ from previous ones.
Common Implementation Gaps
- Minimum password length below 14 characters
- No complexity requirements enforced
- Common passwords (Password1!, CompanyName2024) not blocked
- Password history not enforced or set too low
- No banned password list for organization-specific terms
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-5(1) |
| HIPAA | 164.312(d) - Person or Entity Authentication |
| PCI DSS | Req 8.2.3 - Passwords require a minimum length of at least seven characters |
Need Help Implementing 3.5.7?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment