Practice IA.L2-3.5.8 Details - Revision history

David at 01:01, 16 March 2025

2025-03-16T01:01:15Z

← Older revision		Revision as of 01:01, 16 March 2025
Line 12:		Line 12:
	'''Examine'''		'''Examine'''

	[SELECT FROM: Identification and authentication policy;password policy;procedures addressing authenticator management; system security plan; system design documentation;system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].		[SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

	'''Interview'''		'''Interview'''
Line 28:		Line 28:
	'''Example'''		'''Example'''

	You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period.You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].		You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period. You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
	=== Potential Assessment Considerations ===		=== Potential Assessment Considerations ===
	* How many generations of password changes need to take place before a password can be reused [a]?		* How many generations of password changes need to take place before a password can be reused [a]?
	=== KEY REFERENCES ===		=== KEY REFERENCES ===
	* NIST SP 800-171 Rev 2 3.5.8		* NIST SP 800-171 Rev 2 3.5.8

David at 23:02, 15 March 2025

2025-03-15T23:02:47Z

← Older revision		Revision as of 23:02, 15 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == IA.L2-3.5.8 – PASSWORD REUSE == === SECURITY REQUIREMENT === Prohibit password reuse for a specified number of generations. === ASSESSMENT OBJECTIVES === Deter..."

2022-02-25T20:57:36Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == IA.L2-3.5.8 – PASSWORD REUSE == === SECURITY REQUIREMENT === Prohibit password reuse for a specified number of generations. === ASSESSMENT OBJECTIVES === Deter..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== IA.L2-3.5.8 – PASSWORD REUSE ==
=== SECURITY REQUIREMENT ===
Prohibit password reuse for a specified number of generations.
=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: Identification and authentication policy;password policy;procedures addressing authenticator management; system security plan; system design documentation;system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

'''Interview'''

[SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

'''Test'''

[SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].
=== DISCUSSION ===
Password lifetime restrictions do not apply to temporary passwords.
=== FURTHER DISCUSSION ===
Individuals may not reuse their passwords for a defined period of time and a set number of passwords generated.

'''Example'''

You explain in your company’s security policy that changing passwords regularly provides increased security by reducing the ability of adversaries to exploit stolen or purchased passwords over an extended period.You define how often individuals can reuse their passwords and the minimum number of password generations before reuse [a]. If a user tries to reuse a password before the number of password generations has been exceeded, an error message is generated, and the user is required to enter a new password [b].
=== Potential Assessment Considerations ===
* How many generations of password changes need to take place before a password can be reused [a]?
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.5.8