Overview
The CMMC 2.0 control objectives most directly related to password rotation fall under the Identification and Authentication (IA) domain at Level 2.
Key Control Objectives
IA.L2-3.5.8 — Prohibit Password Reuse
This control maps to NIST SP 800-171 Rev 2 control 3.5.8 and addresses ensuring that users are not reusing old passwords, which is closely tied to password change and rotation practices.
IA.L2-3.5.7 — Enforce Minimum Password Complexity
This companion control governs requirements when passwords are changed, including enforcing a minimum password complexity and change of characters when new passwords are created.
How These Controls Work Together
Together, these two controls establish the expectation that passwords are periodically changed and not recycled. If an assessor finds that passwords are never being rotated, these would be the control objectives flagged as non-compliant.
Important Context: Evolving NIST Guidance
CMMC 2.0 Level 2 pulls directly from NIST SP 800-171 Rev 2. There has been an evolving conversation in the broader NIST guidance (particularly SP 800-63B) that has moved away from mandatory time-based rotation in favor of longer, stronger passwords changed only when compromise is suspected.
However, for CMMC 2.0 assessment purposes, organizations are still evaluated against the 800-171 Rev 2 controls as written, so having a defined password change policy remains important for compliance.