IA.L2-3.5.8

IA.L2-3.5.8: Password Reuse

Prohibit password reuse for a specified minimum number of generations.

Password history prevents users from cycling through passwords repeatedly, using the same one they’ve been using forever. The idea is to force actual password changes over time. This is easily configured in Windows Group Policy or cloud identity providers.

Like password complexity (IA.L2-3.5.7), this is usually straightforward. The assessor checks your configuration, sees a reasonable number (typically 5-24 remembered passwords), and moves on. The failure is usually “I didn’t even know this was configurable” or “we never set it up.” Together with IA.L2-3.5.10 (cryptographic protection), these practices make up your password security posture.

Family Identification and Authentication
Practice IA.L2-3.5.8
Difficulty Easy
Key evidence Password history policy, Group Policy configuration screenshot

What the assessor is actually evaluating

The assessor is checking that you have a password history requirement and that it’s enforced. They want to know how many previous passwords you remember. They’ll ask where you’ve configured this. If you say “I don’t know,” that’s a problem. If you say “we remember the last 10 passwords,” that’s fine.

The number itself is less important than the fact that you have one. NIST recommends at least 5. Most organizations use 10 or 24. Pick something reasonable and document it.

What a realistic SSP definition looks like

Example SSP Language: IA.L2-3.5.8

Practice IA.L2-3.5.8: Password Reuse Restrictions

Users cannot reuse recent passwords. Our password history requirement prevents users from cycling through old passwords repeatedly.

Domain Accounts:

Active Directory Group Policy enforces a password history requirement of [10 / 24] passwords. Users cannot set a new password to any of their previous [10 / 24] passwords. This is configured in the Password Policy Group Policy object applied to all domain-joined systems.

Cloud Accounts:

Azure AD password policy enforces a password history of at least [5 / 10] passwords. Users attempting to reuse a recent password are prompted to choose a different one.

Service Accounts:

Service account passwords are rotated every 90 days. New passwords are randomly generated and not reused from previous passwords. Service account password changes are documented in the credential vault audit logs.

Policy Review:

This password history requirement is reviewed annually as part of our security policy review. The configuration is validated against the Group Policy or identity provider settings to ensure it remains enforced.

Clear and simple. The assessor reads this and knows exactly where to look for evidence.

How to present your evidence

Evidence checklist
  • Password policy document stating history requirement (e.g., 10 remembered passwords)
  • Group Policy screenshot showing 'Enforce password history' configured
  • Cloud identity provider policy screenshot showing password history setting
  • Your SSP statement covering password reuse restrictions

You need:

  1. Your password policy document. A written statement of your password history requirement (e.g., “we remember the last 10 passwords”).

  2. Group Policy screenshot. If you use Windows, navigate to Account Policies > Password Policy and show the “Enforce password history” setting. Screenshot or export it.

  3. Identity provider policy screenshot. If using cloud, show the password history setting from your identity provider admin panel.

That’s all the evidence you need. This is quick.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What is your password history requirement?"
"We remember the last 10 passwords and don't allow reuse. It's enforced in Group Policy for domain accounts and in our identity provider for cloud accounts."
Q: "Can you show me where that's configured?"
Pull up Group Policy. "Here's the Account Policies > Password Policy settings. You can see 'Enforce password history' is set to 10 passwords. This applies to all domain accounts."
Q: "Why 10 and not 5?"
You don't need to justify this. "We selected 10 as a reasonable balance between security and usability." That's enough. The assessor isn't looking for a specific number, just that you have one.

Common failures

Password history is not configured at all. Group Policy shows 0 or the setting is disabled. Users can cycle through passwords. Fix this immediately.
Password history is set to a very low number. Group Policy says 1 or 2. That's not really a history requirement. Users can cycle through two passwords repeatedly. Set it to at least 5.
Password history is configured to a reasonable number and enforced. 10 or 24 remembered passwords. Group Policy shows it. Cloud provider shows it.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP or MSSP

Your MSSP configured this as part of your Group Policy setup. It should already be in place. Confirm it with them before the assessment.

This is not a practice where you expect customization. Standard domain configuration includes password history. If your MSSP hasn’t set it up, ask why.

Ask your MSSP: "What password history requirement have you configured for our domain?" They should tell you immediately. If they don't know, push back. This is basic domain administration.

This guidance is based on assessment room experience and reflects one practitioner’s interpretation of CMMC Level 2 requirements. It is not legal or compliance advice. Always consult your compliance team and official CMMC documentation for final guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IA.L2-3.5.9: Temporary Passwords All Practices IA.L2-3.5.7: Password Complexity →