IA.3.085

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

3

800-171 Control #

3.5.5

CMMC Description

Prevent the reuse of identifiers for a defined period.

CMMC Clarification

Identifiers uniquely associate a user ID to an individual, group, role or device. Establish guidelines and implement mechanisms to prevent identifiers from being reused for the period of time established by the organization in the policy. Example As the IT administrator for your organization you maintain a central directory/domain that holds user accounts and computers within the organization. As part of your job you issue unique usernames (joe@acme.com) for the staff to access resources. When you issue staff computers you also rename the computer to reflect to whom it is assigned (joe-laptop01). Joe has recently left the organization so you must manage the former staff member’s account. Incidentally, the replacement is also named Joe. In the directory you do not assign the previous account to the new user. You create an account called joe02. This account is assigned the appropriate permissions for the new user. A new laptop is also provided with the identifier of joe02-laptop01.

800-171 Description

Prevent reuse of identifiers for a defined period.

800-171 Discussion

Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 16.7, 16.10, 16.12

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.5

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IA.3.085.[a] a period within which identifiers cannot be reused is defined; and

Assessment Sub-Criteria 2

IA.3.085.[b] reuse of identifiers is prevented within the defined period.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15