Identification and Authentication 3.5.5 (3.5.5)

Prevent reuse of identifiers for a defined period.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to prevent the reuse of user accounts, device identifiers, and other authentication credentials for a defined period after they are retired or decommissioned. When an employee leaves, a device is replaced, or a service account is retired, the identifier (username, device name, etc.) cannot be immediately reassigned to a different person or system. This prevents confusion in audit logs, ensures accountability for past actions, and reduces the risk of unauthorized access through residual permissions or cached credentials.

Control Intent

To maintain the integrity of audit trails and accountability by ensuring that identifiers uniquely represent a single entity throughout their lifecycle and for a defined period after retirement, preventing confusion about who or what performed specific actions in the system.

Who This Control Applies To

  • All user accounts (employees, contractors, temporary workers)
  • Service accounts and system accounts
  • Device identifiers and hostnames
  • Role-based identifiers and group memberships
  • API keys and service principals
  • Certificate common names and distinguished names
  • Any identifier used for authentication or authorization in systems processing CUI

Not Applicable When

  • The organization has no systems that process, store, or transmit CUI
  • Generic or shared identifiers that are never retired (though this practice itself may violate other controls)
  • Identifiers that are automatically generated with sufficient uniqueness guarantees (e.g., UUIDs) where collision is mathematically improbable

Key Objectives

  • 1Ensure that retired identifiers cannot be reassigned to different users, devices, or processes for a defined period to maintain audit trail integrity.
  • 2Prevent confusion in security logs and access records by ensuring each identifier uniquely represents only one entity over time.
  • 3Reduce the risk of unauthorized access through residual permissions, cached credentials, or session tokens associated with reused identifiers.

Sample Self-Assessment Questions (Partial)

Does your organization have a defined period during which retired usernames cannot be reused?

When an employee leaves, how long before their username can be assigned to a new employee?

Implementation Approaches (High-Level)

Active Directory Account Deletion with Tombstone Retention

Configure Active Directory to retain deleted user objects in a tombstone state for a defined period, preventing the reuse of usernames and security identifiers (SIDs) during that time.

Identity Management System with Retired Identifier Database

Implement an identity management or IAM system that maintains a permanent or long-term database of retired identifiers and prevents their reuse through automated checks during provisioning.

Naming Convention with Unique Suffixes

Implement a naming convention that includes unique, non-repeating elements (such as hire date, employee ID, or sequential numbers) that naturally prevent identifier reuse without requiring complex tracking systems.

Permanent Identifier Retirement Policy

Implement an organizational policy that identifiers are never reused under any circumstances, effectively setting the non-reuse period to indefinite. This is the most conservative and simplest approach to implement.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no defined period exists, document a risk-based determination of an appropriate non-reuse period (consider audit log retention, regulatory requirements, and operational needs) Prioritize implementing non-reuse controls for user accounts first, then expand to service accounts and device identifiers If technical enforcement is not immediately feasible, implement procedural controls with regular audits as an interim measure For organizations with limited IAM capabilities, consider implementing a naming convention approach as a simpler alternative If identifier namespace exhaustion is a concern, document the risk and consider extending identifier formats before implementing permanent retirement Align the non-reuse period with audit log retention requirements to ensure accountability is maintained For federated or cloud environments, work with providers to understand their identifier management practices and implement compensating controls if needed Document any exceptions to the non-reuse policy with risk assessments and compensating controls

Related CMMC Controls

3.5.13.5.23.5.63.3.13.3.23.1.13.1.2

Frequently Asked Questions

What is a reasonable 'defined period' for identifier non-reuse?

The defined period should be based on your audit log retention requirements and organizational risk tolerance. A common approach is to set the non-reuse period equal to or greater than your audit log retention period (typically 1-2 years for CMMC). Some organizations choose permanent retirement of identifiers as the simplest approach. The key is that the period must be explicitly defined in policy and consistently enforced.

Does this control apply to device identifiers and service accounts, or just user accounts?

This control applies to all identifiers used for authentication or authorization, including user accounts, service accounts, device identifiers, hostnames, role names, and any other identifier that represents a user, process, or device. The control text specifically mentions 'users, processes acting on behalf of users, or devices,' so all identifier types must be covered.

Can we reuse an identifier if we completely wipe all associated permissions and audit logs?

No. The control requires preventing reuse for a defined period regardless of whether permissions are removed. The intent is to maintain audit trail integrity and accountability. Even if technical permissions are removed, historical audit logs may still reference the old identifier, and reusing it would create confusion about who performed which actions. The defined period must elapse before any reuse is considered.

What if we run out of available usernames due to the non-reuse requirement?

If identifier namespace exhaustion is a concern, consider: (1) extending your naming convention to include unique elements like dates or numbers (e.g., john.smith.2024), (2) adopting a permanent retirement policy and accepting that some names may not be reusable, or (3) using employee IDs or other unique identifiers as the primary username. The control does not require you to exhaust your namespace, but it does require preventing reuse for a defined period.

How is this control verified during a CMMC assessment?

Assessors will review your policy to confirm a defined non-reuse period is documented, examine technical controls (like Active Directory tombstone settings or IAM configurations) that enforce the policy, and may request a sample of retired identifiers to verify they have not been reused within the defined period. Assessors may also review audit logs or query identity systems to confirm no reuse has occurred. Both policy and technical enforcement are typically required.

Do we need to track retired identifiers forever, or just for the defined period?

You must track retired identifiers at least for the duration of the defined non-reuse period. After that period expires, you may choose to allow reuse (if your policy permits) or continue permanent retirement. Many organizations find it simpler to maintain a permanent archive of retired identifiers rather than managing time-based expiration. Your approach should be documented in policy and consistently applied.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.