NIST 800-171 Control 3.5.7: Password Complexity & Change Requirements
NIST SP 800-171 control 3.5.7 mandates that organizations enforce minimum password complexity standards and require character changes when new passwords are created. This control directly reduces credential-based attacks and prevents password reuse vulnerabilities that threaten controlled unclassified information (CUI). Compliance requires both technical enforcement and documented password policies.
What this means
Control 3.5.7 requires your organization to establish and enforce password rules that demand sufficient complexity (length, character variety, special characters) and prevent users from reusing old passwords or making minimal changes. The goal is to create passwords that resist brute-force and dictionary attacks while ensuring users can't circumvent complexity by simply changing one character or rotating through predictable variations.
How to comply
- 1.Set minimum password length (NIST recommends 12+ characters) and require character diversity: uppercase, lowercase, numbers, and special characters
- 2.Configure identity systems (Active Directory, IAM tools) to enforce complexity rules at password creation and reset
- 3.Implement password history controls to prevent reuse of previous passwords (typically last 12–24 iterations)
- 4.Define and document password change requirements, including frequency and complexity reset rules
- 5.Configure systems to reject new passwords that are too similar to previous ones (character substitution only)
- 6.Test password policies across all systems handling CUI and document enforcement in system security plans
- 7.Provide user training on password creation and explain why complexity requirements protect organizational data
- 8.Monitor and audit password changes via system logs to verify compliance with complexity standards
Evidence auditors look for
- Password policy documentation specifying minimum length, character requirements, and change rules
- System configuration screenshots (Active Directory, cloud IAM) showing enforced complexity settings
- Password history logs confirming rejection of reused or minimally-changed passwords
- Security training records demonstrating staff awareness of password complexity requirements
- System security plan excerpts detailing password controls for CUI systems
- Audit logs showing enforcement actions and failed password attempts due to complexity violations
- Identity management tool settings confirming password similarity detection is enabled
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates password policy enforcement across your tech stack and generates audit-ready evidence of complexity controls in real time, eliminating manual log reviews for NIST 800-171 3.5.7 compliance.
See how GRCWatch handles this control automatically
Start free trial