IA.L2-3.5.5 — Prevent reuse of identifiers for a defined period.

What this control requires

Prevent reuse of identifiers for a defined period.

Source: CMMC L2 v2.13 IA.L2-3.5.5 / NIST SP 800-171 R2 3.5.5 (official control text).

Why this matters

When user accounts, service principals, or device identifiers are retired, immediately reusing those same identifiers creates security and audit confusion. An attacker who compromises a recycled username inherits its access history, audit trail, and potentially cached permissions. Auditors cannot distinguish actions by the original holder from the new one. This control enforces a waiting period—typically 90-180 days—before any identifier can be reassigned, ensuring clear attribution of actions, preventing privilege carryover, and maintaining forensic integrity. It protects organizations from insider threats masquerading as former employees and prevents accidental permission inheritance when names are reused.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls