Requirement text: IA.3.085: Prevent the reuse of identifiers for a defined period.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Identifiers are provided for users, processes acting on behalf of users, or devices (IA.1.076).
Preventing reuse of identifiers implies preventing the assignment of previously used
individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
CMMC CLARIFICATION
Identifiers uniquely associate a user ID to an individual, group, role or device. Establish
guidelines and implement mechanisms to prevent identifiers from being reused for the
period of time established by the organization in the policy.
Example
As the IT administrator for your organization you maintain a central directory/domain that
holds user accounts and computers within the organization. As part of your job you issue
unique usernames (joe@acme.com) for the staff to access resources. When you issue staff computers you also rename the computer to reflect to whom it is assigned (joe-laptop01).
Joe has recently left the organization so you must manage the former staff member’s account.
Incidentally, the replacement is also named Joe. In the directory you do not assign the
previous account to the new user. You create an account called joe02. This account is
assigned the appropriate permissions for the new user. A new laptop is also provided with
the identifier of joe02-laptop01.
References
• NIST SP 800-171 Rev 1 3.5.5
• CIS Controls v7.1 16.7, 16.10, 16.12
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• NIST SP 800-53 Rev 4 IA-4