GRCWatch
Sign inStart free trial

IA.L2-3.5.7: Password Complexity Requirements for CMMC Level 2

Password complexity is a foundational access control under CMMC Level 2 that prevents weak credentials from becoming your organization's weakest link. This control requires enforcing minimum character requirements and mandatory changes when new passwords are created, significantly reducing the risk of unauthorized access through compromised or guessed credentials.

What this means

This control mandates that all system passwords meet minimum complexity standards—typically including uppercase letters, lowercase letters, numbers, and special characters—and that users must change characters when creating new passwords rather than simply incrementing numbers or reusing similar patterns. The goal is to ensure passwords are resistant to brute-force and dictionary attacks while preventing predictable password rotation schemes.

How to comply

  1. 1.Configure password policies in Active Directory or equivalent identity management system to enforce minimum length (typically 12+ characters for Level 2)
  2. 2.Require at least three of four character types: uppercase letters, lowercase letters, numbers, and special characters
  3. 3.Set password change history to prevent reuse of previous passwords (minimum 5-10 previous passwords)
  4. 4.Implement password expiration policies (90 days typical, or risk-based alternatives)
  5. 5.Configure systems to reject new passwords that are too similar to previous ones using password policy tools
  6. 6.Apply policies consistently across all user accounts, service accounts, and administrative accounts
  7. 7.Document password complexity requirements in your security policy and user access control procedures
  8. 8.Test password policy enforcement across all systems quarterly

Evidence auditors look for

  • Active Directory Group Policy Objects (GPOs) showing password complexity enabled with character type requirements
  • Password policy configuration screenshots from Windows, Linux, or cloud identity systems
  • System logs showing rejected password changes that failed complexity requirements
  • User documentation or onboarding materials explaining password complexity rules
  • Audit reports from identity management tools showing policy enforcement metrics
  • Security policy document sections defining password complexity standards
  • Third-party password manager configuration reports showing enforced complexity rules
  • Employee training records covering password creation best practices

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your Active Directory and identity system configurations to CMMC controls, identifies non-compliant password policies in real-time, and generates the policy documentation and evidence reports needed for assessments.

See how GRCWatch handles this control automatically

Start free trial

Related controls

IA.L2-3.5.1 (Account Management)IA.L2-3.5.2 (Access Enforcement)IA.L2-3.5.8 (Password Management)SC.L2-3.13.1 (Cryptographic Protection)