CMMCDocs.comIA.L2-3.5.7
Also known as: Password complexity requirement
The NIST SP 800-171 requirement that mandates the contractor enforce password complexity rules.
IA.L2-3.5.7 requires the contractor to 'enforce a minimum password complexity and change of characters when new passwords are created.' This is the foundational password policy requirement of NIST SP 800-171.
In practice, contractors implement this through their identity provider's password policy: minimum length, character class requirements, dictionary checks, breached-password databases, and enforced changes when new passwords are generated.
A C3PAO will sample the password policy configuration, verify it's enforced live (try a weak password and see it rejected), and check that it applies to all in-scope user accounts.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account