Identification and Authentication 3.5.7 (3.5.7)

Enforce a minimum password complexity and change of characters when new passwords are created.

Get Full Guidance

What Is This CMMC Control?

Organizations must enforce minimum password complexity requirements and require users to change a certain number of characters when creating new passwords. This applies to both single-factor password authentication and passwords used as part of multi-factor authentication. The control aims to prevent weak passwords and discourage password reuse by ensuring new passwords differ meaningfully from old ones.

Control Intent

Prevent unauthorized access by ensuring passwords are sufficiently complex and distinct from previous passwords, making them resistant to common password attacks such as dictionary attacks, brute force attacks, and password guessing.

Who This Control Applies To

  • All systems and applications that use password-based authentication for CUI access
  • User accounts with access to CUI, whether local or domain-based
  • Service accounts and shared accounts that use password authentication
  • Both single-factor password authentication and passwords used as part of MFA
  • Cloud-based systems and SaaS applications that store or process CUI
  • Remote access systems requiring password authentication
  • Administrative and privileged accounts using password authentication

Not Applicable When

  • Systems use only passwordless authentication methods (e.g., certificate-based, hardware tokens without passwords)
  • Authentication is exclusively through federated identity providers that enforce their own password policies
  • Systems use only biometric authentication without password fallback
  • Accounts are disabled or not used to access CUI
  • Systems are completely isolated from CUI and the CUI environment

Key Objectives

  • 1Ensure passwords meet minimum complexity requirements that resist common attack methods
  • 2Prevent users from reusing previous passwords or making trivial modifications to existing passwords
  • 3Reduce the effectiveness of brute force and dictionary attacks against password-based authentication
  • 4Maintain password strength across password changes to prevent degradation of authentication security over time

Sample Self-Assessment Questions (Partial)

Does your organization use passwords to access systems that store or process CUI?

What is your current minimum password length requirement?

Implementation Approaches (High-Level)

Active Directory Group Policy Password Complexity

Centralized password policy enforcement through Active Directory Group Policy Objects (GPOs) applied to all domain-joined systems and user accounts.

Cloud Identity Provider Password Policies

Password complexity enforcement through cloud-based identity providers such as Azure AD, Okta, Google Workspace, or other IAM platforms.

Linux PAM Password Complexity Modules

Password complexity enforcement on Linux systems using Pluggable Authentication Modules (PAM), specifically pam_pwquality or pam_cracklib.

Application-Level Password Policies

Password complexity enforcement within individual applications, databases, or systems that maintain their own user authentication.

Hybrid Centralized and Per-System Enforcement

Combination of centralized identity management for most users with per-system enforcement for local accounts, service accounts, and systems that cannot integrate with centralized authentication.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If password complexity cannot be immediately enforced on all systems, prioritize systems with direct CUI access or privileged accounts Document specific systems or applications that cannot meet complexity requirements and provide technical justification Establish a remediation timeline with milestones for implementing password complexity on non-compliant systems Consider compensating controls such as MFA, increased monitoring, or restricted access for systems that cannot enforce complexity For legacy systems, evaluate whether they can be replaced, upgraded, or isolated to reduce risk Ensure POA&M includes specific technical tasks (e.g., 'Configure pam_pwquality on all Linux servers') rather than vague commitments Include testing and validation steps to verify password complexity enforcement after remediation Address service accounts and local administrator accounts explicitly in the POA&M if they are currently exempted Set realistic timelines based on system criticality, technical complexity, and resource availability Plan for periodic review of password policies to ensure they remain effective against evolving threats

Related CMMC Controls

3.5.13.5.23.5.53.5.63.5.83.5.93.5.103.5.11

Frequently Asked Questions

What is the minimum password length required for CMMC Level 2?

CMMC Level 2 does not specify an exact minimum password length in the control text. However, NIST SP 800-171 guidance and industry best practices recommend a minimum of 8 characters for basic compliance, with 12-14 characters increasingly considered the standard for stronger security. Organizations should document their chosen minimum length and ensure it provides adequate resistance to brute force attacks.

How many characters must change when a user creates a new password?

The control requires that a minimum number of characters change, but does not specify an exact number. Common implementations require at least 4-8 characters to change depending on password length. The character change requirement works in conjunction with password history to prevent users from making trivial modifications to previous passwords. Organizations must document their specific requirement and enforce it technically.

Do service accounts and shared accounts need to meet the same password complexity requirements?

Yes, service accounts and shared accounts that access CUI must meet the same password complexity requirements as user accounts unless there is a documented technical limitation with approved compensating controls. Many organizations mistakenly exempt service accounts, which creates a significant security gap. If a service account cannot support complex passwords, consider using alternative authentication methods such as certificates or managed service identities.

How do we enforce password complexity for SaaS applications we don't control?

For SaaS applications, you must verify that the provider's password policy meets or exceeds your organization's requirements. This is typically done through reviewing the provider's security documentation, configuration settings, or security questionnaires. If the SaaS application uses federated authentication (SAML, OAuth) with your identity provider, password complexity is enforced by your identity provider. If the application maintains its own user database, you must verify its password policy and document this verification as evidence.

What happens if we have legacy systems that cannot enforce password complexity?

Legacy systems that cannot enforce password complexity require documented exceptions with compensating controls. Compensating controls might include implementing MFA, restricting network access to the system, enhanced monitoring and logging, or isolating the system from direct CUI access. The exception and compensating controls must be documented and approved. Organizations should also include these systems in a remediation plan (POA&M) with a timeline for upgrading, replacing, or decommissioning them.

Is password salting required by this control?

Password salting is mentioned in the supplemental guidance as a consideration to mitigate brute force attacks, but it is not explicitly required by the control text. However, modern authentication systems should use salted password hashing as a security best practice. If your systems store password hashes, implementing salting (or using modern password hashing algorithms like bcrypt, scrypt, or Argon2 that include salting) demonstrates a mature approach to password security and may be viewed favorably during assessment.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.