IA.L2-3.5.8 — Prohibit password reuse for a specified number of generations.
What this control requires
Prohibit password reuse for a specified number of generations.
Source: CMMC L2 v2.13 IA.L2-3.5.8 / NIST SP 800-171 R2 3.5.8 (official control text).
Why this matters
Password reuse creates a compounding vulnerability window. If an old password was compromised through phishing, breach database exposure, or shoulder surfing, an attacker retains access every time that password cycles back into use. Organizations face credential stuffing attacks where adversaries systematically test known passwords against accounts. By enforcing a reuse history of at least 24 generations, the control ensures even long-tenured employees cannot rotate through a small set of memorized passwords. This protection layer complements complexity requirements and prevents human habit from undermining the entire authentication defense.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IA.L2-3.5.8.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →