IA.L2-3.5.7 — Enforce a minimum password complexity and change of characters when new passwords are created.
What this control requires
Enforce a minimum password complexity and change of characters when new passwords are created.
Source: CMMC L2 v2.13 IA.L2-3.5.7 / NIST SP 800-171 R2 3.5.7 (official control text).
Why this matters
Weak or predictable passwords are the easiest entry point for attackers attempting credential stuffing, brute-force, or dictionary attacks. When users reuse passwords or make trivial modifications like changing a single digit, compromised credentials remain exploitable across breaches. This control enforces structural complexity—requiring uppercase, lowercase, numbers, and symbols—and mandates meaningful character changes when passwords rotate, making automated guessing exponentially harder. Without these guardrails, adversaries can crack passwords in seconds using leaked password databases and common substitution patterns.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IA.L2-3.5.7.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →