Documentation Index

Fetch the complete documentation index at: https://kb.northerndatasolutions.com/llms.txt

Use this file to discover all available pages before exploring further.

AC.L2-3.5.7[a]

  • Published on Apr 29, 2026
  • 1 minute(s) read
  • CT
 Prev Next

AC.L2-3.5.7[a] — Identification & Authentication (Password Complexity)

Domain: Identification & Authentication (IA)  |  Practice: IA.L2-3.5.7  |  Objective ID: 3.5.7[a]  |  Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2

Assessment Objective:

Password complexity requirements are defined.

Executive Summary (For Leadership and the Board)

CMMC objective AC.L2-3.5.7[a] sits inside the Identification & Authentication domain (IA.L2-3.5.7 — Password Complexity) and reads: Password complexity requirements are defined.. Define minimum password requirements (length, character types, prohibited patterns). NIST 800-63B recommends 8+ character minimum with emphasis on length over complexity rules. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.

Under DFARS 252.204-7012, AC.L2-3.5.7[a] will be evaluated during a full third-party CMMC Level 2 assessment. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored?

Related articles
  • AC.L2-3.5.7[b]
    Compliance > CMMC (NIST 800-171) > CMMC 2.0 Assessment Objectives
  • AC.L2-3.5.10[a]
    Compliance > CMMC (NIST 800-171) > CMMC 2.0 Assessment Objectives
  • AC.L2-3.5.7[c]
    Compliance > CMMC (NIST 800-171) > CMMC 2.0 Assessment Objectives