Identifier Reuse
Prevent reuse of identifiers for a defined period.
What an assessor scores, the objectives
IA.L2-3.5.5 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.a period within which identifiers cannot be reused is defined
- b.reuse of identifiers is prevented within the defined period
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For IA.L2-3.5.5, an assessor uses these:
Identification and authentication policy; system security plan; procedures addressing authenticator management; procedures addressing user identification and authentication; system design documentation; list of system authenticator types; system configuration settings and associated documentation; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records
Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators
Mechanisms supporting or implementing authenticator management capability
What it means, in context
Identifiers are provided for users, processes acting on behalf of users, or devices ( IA.L2- 3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
Identifiers uniquely associate a user ID to an individual, group, role, or device. Establish guidelines and implement mechanisms to prevent identifiers from being reused for the period of time established in the policy. Example As a system administrator, you maintain a central directory/domain that holds the accounts for users, computers, and network devices. As part of your job, you issue unique usernames (e.g., riley@acme.com) for the staff to access resources. When you issue staff computers you also rename the computer to reflect to whom it is assigned ( e.g., riley-laptop01). Riley has recently left the organization, so you must manage the former staff member ’s account. Incidentally, their replacement is also named Riley . In the directory , you do not assign the previous account to the new user, as policy has defined an identifier reuse period of 24 months [a]. In accordance with policy, you create an account called riley02 [b]. This account is assigned the appropriate permissions for the new user. A new laptop is also provided with the identifier of riley02-laptop01. Potential Assessment Considerations • Are accounts uniquely assigned to employees, contractors, and subcontractors [b]? • Are account identifiers reused [b]?
What passing evidence looks like
The identifier reuse rule (usernames are never reassigned to a different person for the defined period) written down, and directory practice matching it.
Common ways contractors fail IA.L2-3.5.5
- !Deleting a mailbox and giving the same address to a new hire inside your defined period is the violation. Disable and retain instead of delete and reuse.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove IA.L2-3.5.5, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
IA.L2-3.5.5 questions, answered
How many points is CMMC requirement IA.L2-3.5.5 worth?+
IA.L2-3.5.5 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can IA.L2-3.5.5 be placed on a POA&M?+
Yes. A gap on IA.L2-3.5.5 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does IA.L2-3.5.5 belong to?+
IA.L2-3.5.5 is in the Identification & Authentication (IA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.5.5