The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 — Independent Research

CMMC Password Requirements: Length, Complexity, Rotation, History, and Assessment Evidence

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified: · Methodology · Editorial & Advertising Policy

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

CMMC does not set one universal password length, and it does not require a 60- or 90-day password change. At Level 2, CMMC password requirements come from five security requirements in NIST SP 800-171 Revision 2 — 3.5.7 through 3.5.11 — covering complexity, reuse, temporary passwords, cryptographic protection, and obscured feedback. Your organization defines several of the key numbers, but it must document and technically enforce whatever it chooses.

If you’ve opened five tabs and found five different “requirements” — 8, 12, 14, 15, 16 characters; rotate every 90 days; remember 24 passwords — you were not doing it wrong. Those numbers come from different sources answering different questions, and several guides quietly blur them together. One even labels the wrong requirement as the password-reuse rule. We’ll show you exactly where each number comes from, which one actually governs your assessment today, and how to build a policy that survives the define-and-enforce test.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

The answer on one screen

Common questionDirect answer
Does CMMC mandate one minimum password length?No — not under the current Level 2 baseline (NIST SP 800-171 Rev. 2). You set it as part of your complexity definition.
Is 12 characters required?No. It's an example in the CMMC Assessment Guide — Level 2, not a mandate.
Is 15 characters required?No. It's current NIST digital-identity guidance (SP 800-63B-4) for single-factor passwords — a benchmark, not the CMMC rule.
Is 16 characters required?Not today. That figure is tied to NIST SP 800-171 Rev. 3, which CMMC has not adopted.
Must passwords change every 60 or 90 days?No universal CMMC interval. Temporary passwords must change immediately; the rest is up to you.
Is password history required?Yes — for a number of generations you specify (3.5.8).
Is a written policy alone enough?No. Where a requirement applies, your defined values must also be enforced and testable.
Does MFA remove the password controls?No — wherever passwords remain part of authentication, the requirements still apply.

Current baseline, dated: 32 CFR Part 170 (the CMMC Program Rule) took effect December 16, 2024. DFARS clause 252.204-7021 took effect November 10, 2025. Phase 1 runs November 10, 2025 through November 9, 2026; Phase 2 begins November 10, 2026. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 because 32 CFR 170.14(c)(3) makes the Level 2 security requirements identical to Revision 2.

Who this page is for: IT directors, CISOs, compliance managers, FSOs, and small-business owners configuring or documenting password controls for a CMMC Level 2 environment. If you only handle Federal Contract Information (FCI) and you’re targeting Level 1, skip to the Level 1 section. If you’re not sure which level your contract requires, that’s the first thing to settle — it’s set by your solicitation or contract, and our CMMC levels guide and FCI vs. CUI explainer can help.

This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm your required level and scope with a CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO) and, where appropriate, a qualified federal-contracts attorney.

The one framework that ends the confusion: label every number by its source

Every password “requirement” you’ll read about CMMC belongs to exactly one of six categories. Once you can tell them apart, the contradictions disappear. We label every number and rule on this page with one of these tags:

We built this labeling system because the most common failure this topic produces isn’t picking the “wrong” number. It’s treating an example, a benchmark, or a future parameter as though it were the active rule — and then either over-building or, worse, writing something into the System Security Plan (SSP) that your environment can’t actually enforce.

What are the CMMC password requirements?

The CMMC Password Requirement Ledger

CMMC Level 2 has five password-specific requirements: define and enforce complexity and changed-character rules (3.5.7), prohibit reuse for a specified number of generations (3.5.8), force immediate replacement of temporary passwords (3.5.9), store and transmit only cryptographically protected passwords (3.5.10), and obscure authentication feedback (3.5.11). Your organization supplies several of the numbers, but it must document and technically enforce whatever it chooses.

Sources: NIST SP 800-171 Rev. 2 (requirement text), NIST SP 800-171A (assessment objectives), and 32 CFR 170.24 and 170.21 (CMMC scoring and POA&M rules).

Requirement (NIST / CMMC ID)What the active baseline requiresWhat you must defineUniversal number?Points if NOT METLevel 2 POA&M?
3.5.7 / IA.L2-3.5.7Enforce minimum password complexity and change of characters when new passwords are createdYour complexity baseline + how many characters must change on a changeNo length or change number1Eligible*
3.5.8 / IA.L2-3.5.8Prohibit password reuse for a specified number of generationsThe number of remembered generationsNo history number1Eligible*
3.5.9 / IA.L2-3.5.9Allow temporary passwords with an immediate change to a permanent passwordYour temporary-password provisioning procedureNo interval — the change is immediate1Eligible*
3.5.10 / IA.L2-3.5.10Store and transmit only cryptographically protected passwordsYour storage/transmission architecture and evidenceNo length or rotation number5NOT eligible
3.5.11 / IA.L2-3.5.11Obscure feedback of authentication informationHow each applicable interface obscures authentication feedbackNo1Eligible*
Related: 3.5.3 / IA.L2-3.5.3 (MFA — see our MFA page)Use MFA for local/network privileged access and network non-privileged accessMFA scope and mechanisms5 (3 partial)NOT eligible
Related: 3.1.8 / AC.L2-3.1.8Limit unsuccessful logon attemptsYou set the thresholdYou set the threshold1Eligible

* Eligible only when all 32 CFR § 170.21 conditions are met (overall score ≥ 88, no POA&M item > 1 point, 180-day closeout). Point values: 32 CFR § 170.24. Source verification: July 11, 2026.

Two numbers worth committing to memory: The five password-specific requirements put nine points of deductionon the table against a 110-point maximum. The full Identification and Authentication (IA) family — all eleven requirements, 3.5.1 through 3.5.11 — accounts for 27 points, or 24.5% of the maximum.

For the five password requirements there’s no partial credit — each is MET or NOT MET. Only two Level 2 requirements in the entire rule can be scored partially: MFA (3.5.3) and FIPS-validated encryption (3.13.11). None of your password controls is one of them.

The CMMC Assessment Guide — Level 2 states that “minimum complexity requirements are left up to the organization to define.” That’s the official guide confirming what Revision 2 leaves to you. The complexity parameters are yours to define and enforce. YOU DEFINE THIS

Build your policy the way an assessor will read it

You now know whatthe five requirements demand. The harder part is turning that into values your systems can actually enforce — and proving it. Our CMMC Password Policy & Evidence Worksheet walks you requirement by requirement: the blank you fill for each, the NIST SP 800-171A objectives your choices will be graded against, benchmark values with their sources, and a starter SSP sentence you can adapt.

Get the CMMC Password Policy & Evidence Worksheet →

Free · Do not enter passwords, CUI, drawings, account names, or system diagrams into any form. Provider matching may generate referral compensation when disclosed.

Does CMMC require 12-, 15-, or 16-character passwords?

None of those numbers is the current universal CMMC Level 2 minimum. Twelve characters appears as an example in the CMMC Assessment Guide — Level 2. Fifteen is the current NIST SP 800-63B-4 minimum for single-factor passwords. Sixteen is tied to NIST SP 800-171 Revision 3, which CMMC has not adopted. Under the active Revision 2 baseline, your organization defines the complexity parameters, including any minimum length.

The number or policyWhat it actually isUniversal CMMC Level 2 rule?How to treat it
12 charactersAn example in the CMMC Assessment Guide — Level 2, version 2.13 (Potential Assessment Considerations)NoEXAMPLE, NOT A MANDATE
15 charactersCurrent NIST SP 800-63B-4 minimum for single-factor passwordsNoMODERN BENCHMARK
15 characters (no-MFA case)DoD Procurement Toolbox Cybersecurity FAQ 53.1 example for a password-only system after a DoD component determines heightened impactNo — and the same FAQ says parameter values are "typically left to the discretion of the nonfederal organization"EXAMPLE, NOT A MANDATE
8 characters (with MFA)NIST SP 800-63B-4 minimum when a password is used only as one factor within MFANoMODERN BENCHMARK
16 charactersDoD's published Rev. 3 organization-defined parameter (ODP 03.05.07.f)No — not under the current ruleFUTURE WATCH
60- or 90-day rotationA legacy or organizational policy choiceNoOPTIONAL ORGANIZATIONAL POLICY
24-password historyA common defaultNoYOU DEFINE THIS

Where the 12-character claim comes from

Twelve characters appears in the CMMC Assessment Guide — Level 2, version 2.13, as a Potential Assessment Considerations example — a mix of upper- and lower-case, numbers, and symbols. It’s an official assessment-guide example, not a mandate, and not automatically adequate for every environment. Don’t write “CMMC requires 12 characters” in your SSP; the rule doesn’t say that. EXAMPLE, NOT A MANDATE

Where the 15-character claim comes from

Fifteen is the headline number from NIST SP 800-63B-4, the Digital Identity Guidelines finalized in 2025. That document requires single-factor passwords to be at least 15 characters, prohibits composition rules, and discourages forced periodic changes absent evidence of compromise. It’s strong, modern guidance. But CMMC Level 2 is pinned to NIST SP 800-171 Rev. 2, which does not adopt 63B-4’s specific numbers. So 15 is a benchmark you can cite to justify your policy — not a CMMC safe harbor, and not a substitute for the four assessment objectives inside 3.5.7. MODERN BENCHMARK

Where the 16-character claim comes from

Sixteen is a Rev. 3 story. NIST published SP 800-171 Revision 3 in May 2024, and in April 2025 DoD published organization-defined parameters (ODPs) for Rev. 3. DoD’s ODP 03.05.07.f sets a 16-character minimum and prohibits a password containing the user’s account name or full name. But 32 CFR 170.14(c)(3) still maps current CMMC Level 2 to Rev. 2. So the 16-character figure would control a CMMC assessment only after DoD updates the program’s governing baseline through rulemaking. FUTURE WATCH

The uncomfortable part — and the upside

CMMC does not hand you a single password configuration to copy.You have to define several values yourself — complexity, length, changed characters, history — and that flexibility becomes an assessment burden the moment your policy, your platform settings, your SSP, and your test evidence stop matching. An assessor grades you against your own written definitions.

The upside is real: you are notstuck adopting some punishing legacy setting just because a competitor’s blog called it “the CMMC requirement.” You get to choose values that fit your environment, that you can technically enforce everywhere, and that you can demonstrate on demand.

OUR EDITORIAL CALL Don’t publish one universal “CMMC minimum.” If you want a defensible reference point: NIST SP 800-63B-4 sets 15 characters for single-factor passwords and permits 8 when the password is only one factor within MFA; DISA STIG configurations commonly enforce 14; CIS benchmarks commonly land at 14 or more. Pick a value that satisfies 3.5.7, that every in-scope system can actually enforce, and document the source you relied on. Choose the number because it meets the objective and holds up in your environment — not because you saw it in an article.

Why are CMMC password requirements so confusing in 2026?

The confusion comes from different sources answering different questions. Current CMMC uses NIST SP 800-171 Rev. 2. Assessment guidance supplies examples. NIST SP 800-63B-4 supplies modern digital-identity guidance. DoD’s Rev. 3 parameters preview a future baseline. Mix those layers and you manufacture “requirements” that don’t exist.

Think of it as four stacked layers, only one of which controls your assessment right now:

  1. The controlling CMMC baseline — 32 CFR 170.14(c)(3) + NIST SP 800-171 Rev. 2. This is what an assessor scores.
  2. How the objectives get assessed— NIST SP 800-171A + the CMMC Assessment Guide (Level 2). This is how they judge “met.”
  3. Modern password-security guidance — NIST SP 800-63B-4. Useful for justifying your choices.
  4. The future watch — NIST SP 800-171 Rev. 3 + DoD’s Rev. 3 ODPs. Prepare; don’t implement as CMMC yet.

The interpretation rule that saves you: a newer publication is not automatically the current CMMC requirement. The CMMC rule has to adopt the newer baseline through rulemaking before it controls an assessment. Until DoD does that, Rev. 2 governs.

What does CMMC Level 1 require for passwords?

CMMC Level 1 requires covered systems to identify users, processes acting on behalf of users, and devices, and to authenticate or verify their identities before granting access. FAR 52.204-21 — the Level 1 safeguarding rule — does not set a universal minimum length, history count, composition formula, or rotation interval.

IssueLevel 1 (FCI)Level 2 (CUI)
Information protectedFederal Contract InformationControlled Unclassified Information
BaselineFAR 52.204-21NIST SP 800-171 Rev. 2
Numeric password minimum in the ruleNoNo universal number (you define complexity)
Password-requirement clusterNot the five Level 2 requirements3.5.7–3.5.11
AssessmentAnnual self-assessmentSelf-assessment or C3PAO, per the contract
POA&MNot permittedNarrowly permitted for eligible items

Handling FCI only does notautomatically make every Level 2 password control apply. Don’t let anyone talk you into a Level 2 identity redesign until your solicitation, flow-down obligations, information type, and assessment scope actually support it. If you’re unsure whether you touch CUI at all, resolve that first — start with our FCI vs. CUI guide or the Level 1 self-assessment walkthrough.

What does CMMC Level 2 require for passwords?

CMMC Level 2 applies the password requirements in NIST SP 800-171 Rev. 2 to the assets inside your CMMC assessment scope, according to how each asset is categorized under 32 CFR 170.19. Requirements 3.5.7 through 3.5.11 cover complexity, history, temporary passwords, cryptographic protection, and authentication feedback. MFA (3.5.3) is a related but separate requirement.

One nuance that trips people up: the requirements don’t apply identically to every box in your building. Under 32 CFR 170.19, CUI Assets are assessed against all Level 2 requirements; Security Protection Assets are assessed against the requirements relevant to the protection they provide; and Contractor Risk Managed Assets and Specialized Assets get different treatment the rule spells out. Get your scoping right first (see our scoping guide); it decides where these controls even land.

IA.L2-3.5.7 — Password complexity and changed characters

ACTIVE REQUIREMENT

Define your minimum complexity, define how many characters must change when a password changes, and technically enforce both.

NIST SP 800-171A breaks this one requirement into four assessment objectives: complexity requirements are defined; change-of-character requirements are defined; complexity is enforced when new passwords are created; and change-of-characters is enforced. That’s why a policy document alone doesn’t satisfy it — two of the four objectives are about enforcement.

“Change of characters” refers to the number of character positions that must differ when a password is changed. It exists to stop the Password1 Password2 shuffle. You set the number. YOU DEFINE THIS

Failure it trips most: the SSP says 14 characters, but the domain policy still enforces 8 — and the change-of-characters rule was never defined.

IA.L2-3.5.8 — Password reuse

ACTIVE REQUIREMENT

Choose a password-history generation count, state it in policy, and prevent reuse for that count. The rule says a specified number of generations. Specified by you. YOU DEFINE THIS It does notsay 24 — that’s a common default, not a mandate. NIST SP 800-171A has two objectives here: the number of generations is specified, and reuse is prohibited for that number.

Failure it trips most: “enforce password history” left at a default (or 0) on some systems, or a policy that promises a history depth the platform can’t store.

IA.L2-3.5.9 — Temporary passwords

ACTIVE REQUIREMENT

A temporary password used to log on must trigger an immediate change to a permanent password. No interval here — the change is immediate. This applies to new-user provisioning, help-desk resets, vendor defaults, and SaaS invitations when they issue a temporary password for system logon. Passwordless invitation links and Microsoft Entra Temporary Access Passes need mechanism-specific analysis, because they aren’t automatically “temporary passwords” under 3.5.9.

Failure it trips most: the help desk sets temporary passwords with no forced change at first logon.

IA.L2-3.5.10 — Cryptographic protection (the five-point requirement)

ACTIVE REQUIREMENT 5 POINTS • NO POA&M

Passwords must be cryptographically protected both where they’re stored and while they’re transmitted. This is the one that can end your certification. It carries a five-point deduction, and under 32 CFR 170.21 it cannot go on a Level 2 POA&M— it must be MET before your assessment result is finalized.

In practice: salted one-way hashes for any password store you build, protected transmission channels — avoiding LDAP simple bind or any legacy protocol that transmits passwords without cryptographic protection — and inherited controls documented where a vendor handles it. The invisible failures: plaintext passwords in scripts, config files, spreadsheets, tickets, or emails. Any one of those is an evidence problem and a real risk. For the wider encryption picture, see our CMMC encryption requirements guide.

Failure it trips most: reversible or plaintext credential storage somewhere in scope that nobody inventoried.

IA.L2-3.5.11 — Obscured authentication feedback

ACTIVE REQUIREMENT

Authentication interfaces must obscure authentication information during the authentication process. Masked (or briefly displayed) password entry is directly supported by the NIST discussion. Error-message design belongs here when the feedback would disclose authentication information. Watch the corners: command-line tools, scripts, kiosks, mobile apps, and legacy internal applications.

Failure it trips most: a custom or legacy app that echoes the password on screen or in an error.

The right CMMC provider isn’t the same for every contractor — the category you need depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and don’t submit CUI, drawings, or sensitive contract details. Provider matching may generate referral or lead-routing compensation; any relationship is disclosed at the point of recommendation.

Does CMMC require password changes every 60 or 90 days?

Current CMMC Level 2 does not impose one universal 60- or 90-day expiration interval. It requires immediate replacement of temporary passwords (3.5.9), a defined changed-character rule when passwords are changed (3.5.7), and whatever additional change events or schedule your organization chooses and consistently enforces.

The eventHow to classify it
Temporary password usedImmediate change required (3.5.9) — active requirement
A user changes a passwordYour defined change-of-characters rule applies (3.5.7) — active requirement
Password suspected compromisedNIST SP 800-63B-4 requires a change on evidence of compromise — modern benchmark, not a universal Rev. 2 interval
Routine 60/90-day expirationNot a universal Rev. 2 CMMC interval

Say it precisely, because the wording matters at assessment. Don’tclaim “CMMC prohibits 90-day rotation” — it doesn’t; you may still choose an interval. Dosay “CMMC does not mandate a universal periodic interval, and current NIST guidance discourages arbitrary rotation.” If you drop periodic expiration, write the 63B-4 rationale into your policy so an assessor sees a deliberate, defensible choice rather than an oversight. OUR EDITORIAL CALL

How many previous passwords must CMMC remember?

CMMC Level 2 requires reuse to be prohibited for a specified number of generations (3.5.8), but it does not supply one universal history count. You choose the number, document it, enforce it across every applicable system, and be able to demonstrate that an old password can’t be reused within that window.

Two nuances decide whether you actually meet this. First, “prevent reuse of the current password” is not the same as a multi-generation history — some platforms only do the former by default. Second, don’t let your SSP promise more depth than your weakest in-scope system can enforce. If different applications support different maximum histories, document that reality.

A clean test procedure to keep as evidence

  1. Record the configured generation count.
  2. Create a controlled test account.
  3. Change the password through the required number of generations.
  4. Attempt reuse inside — and just outside — the prohibited window.
  5. Preserve the result, date, platform, and tester.

Does CMMC require a breached-password blocklist?

The active NIST SP 800-171 Rev. 2 password requirements do not mandate screening against a breached-password blocklist. NIST SP 800-63B-4 requires it as modern digital-identity guidance, and DoD’s Rev. 3 parameters build it into “Password Management” — but neither is the current universal CMMC Level 2 rule.

This is a genuinely useful control, and it’s where the standard is heading. Under Rev. 2, blocklist screening is a defensible enhancement you can add — not a line an assessor scores against 3.5.7 through 3.5.11 today. Treat “compromised-password screening” as a Rev. 3 / 63B-4 alignment move, filed under MODERN BENCHMARK and FUTURE WATCH, not ACTIVE REQUIREMENT.

Is a written password policy enough for CMMC?

No. Where 3.5.7 and 3.5.8 apply, assessors determine whether you defined the required values and whether the technical environment enforcesthose same values. A policy without matching configuration and test evidence can leave one or more assessment objectives NOT MET — and that costs points.

The mental model that survives an assessment has three layers, and you need all three:

LayerThe questionExample proof
DefinedWhat does your organization require?Approved policy, SSP implementation statement, procedure
ImplementedWhere and how is it enforced?GPO export, Entra/IdP settings, MDM profile, application or appliance configuration
OperatingDoes it actually work as described?Test results, logs, an observed password creation or change

In practitioner discussions we reviewed for this article, contractors describe assessors declining “administrative only” documentation and asking to see the technical control behind it. The fix is boring and effective — reconcile the SSP, the configuration, and the test evidence for each objective before anyone shows up.

Know exactly what to hand the assessor

Our CMMC Password Evidence Checklist lists, objective by objective for IA.L2-3.5.7 through 3.5.11, the policy language, the configuration export, the interview prompt, and the test prompt that maps to each one.

Get the CMMC Password Evidence Checklist →

Free · Never capture actual password values in evidence. Do not upload CUI or system details to any form.

What should a CMMC password policy contain?

A defensible CMMC password policy identifies every applicable password-bearing account and system, states your organization-defined values for complexity, changed characters, and history, and describes how temporary passwords, storage, transmission, recovery, exceptions, and evidence are controlled. It should promise only what you can technically enforce and test.

Use this as your table of contents. It maps to the five requirements plus the operational reality assessors probe:

  1. Purpose and applicable CMMC level
  2. Assessment scope and covered systems
  3. Account types: human, privileged, shared, local, service, application, appliance, emergency
  4. Minimum length or equivalent complexity parameters (your chosen values)
  5. Required character properties
  6. Changed-character requirement (the number)
  7. Password-history generations (the number)
  8. Temporary-password provisioning and immediate change
  9. Default-credential change
  10. Password reset and identity-verification procedure
  11. Compromise-triggered response
  12. Storage protection (hashing, where you control the store)
  13. Transmission protection (protected channels)
  14. Authentication-feedback behavior
  15. Password-manager rules
  16. Passwordless, recovery, and fallback paths
  17. Service-account and non-human credential handling
  18. Exceptions and formal approvals
  19. Technical enforcement locations (which system enforces what)
  20. Evidence owner and retention
  21. Testing cadence
  22. Approval and review date

How do Active Directory, Entra ID, SaaS apps, and passwordless change the answer?

The governing objectives don’t change because your architecture changes — but their applicability, the enforcement point, and the evidence do. You have to map every password path — cloud-only, synchronized, local, application, service, recovery, and emergency accounts — to the system that actually defines and enforces each setting.

The Defense Compliance Report environment implementation framework — OUR EDITORIAL CALL

EnvironmentWhere enforcement may liveAffected objectivesCommon failure
On-premises Active DirectoryDomain policy, fine-grained password policies, local policy, app-specific stores3.5.7, 3.5.8, 3.5.9, 3.1.8SSP states one minimum; the effective domain or local policy enforces another
Hybrid AD + Entra IDOn-prem AD policy, sync configuration, password writeback, Entra Password Protection, app policies3.5.7, 3.5.8, 3.5.9Assuming cloud and on-prem accounts get identical controls without testing
Entra-only (cloud-only)Microsoft's predefined cloud password policy, banned-password lists, app settings3.5.7, 3.5.8Declaring 3.5.7/3.5.8 met just because Microsoft runs the platform
Passwordless / passkeysCredential registration, recovery, bootstrap, device unlock, break-glass, fallbackApplicability of 3.5.7–3.5.11 on remaining password pathsTesting only the primary passwordless route and ignoring recovery, local admin, service accounts
SaaS & custom appsEach app's own IdP or local credential store3.5.7, 3.5.8, 3.5.10, 3.5.11Assuming the central directory policy covers local or unsynchronized app accounts
Service / non-human accountsVault, secrets manager, managed identities, app config, local service settings3.5.8, 3.5.10 (where passwords exist)Treating non-interactive accounts as out of scope without documenting why
Network, appliance, emergency accountsDevice-local policy or privileged-access tooling3.5.7, 3.5.9, 3.5.11Leaving default, shared, or undocumented fallback credentials outside the SSP

The Entra-only detail worth knowingverified

Microsoft documents that cloud-only Entra ID accounts use a predefinedpassword policy — an 8-character minimum, a 256-character maximum, three-of-four character-category complexity, and a rule that prevents immediately reusing the currentpassword — and its core length and complexity settings can’t be customized for cloud-only accounts. Synchronized users may instead be subject to on-premises Active Directory password policy, and password writeback can enforce on-premises policy for supported cloud reset or change paths. The result depends on the account source, the reset or change path, and how writeback is configured. (Platform settings change; re-confirm current Entra behavior at each policy review.)

Don’t turn this into “Entra passes” or “Entra fails.” The right question is which objectives are customer-managed, which are inherited from Microsoft, which you can technically enforce, and which you can evidence in your specific architecture.

Do service accounts and non-human accounts have to meet the CMMC password requirements?

There’s no categorical CMMC exemption for service or non-human accounts. Applicability depends on the asset category, the authentication mechanism, and the assessment objective. Managed identities, certificates, or other non-password mechanisms may remove a password path entirely, but any remaining passwords on in-scope accounts must be inventoried and assessed.

This is one of the most common blind spots. Teams lock down interactive user accounts and forget the service account running a backup job, the local admin on an appliance, or the API credential in an application config. If a service account authenticates with a password and it’s in scope, the password requirements reach it — and 3.5.10 (cryptographic protection) is the one that bites hardest here, because service-account credentials so often end up in scripts and config files in the clear. Where you can, replace the password path with a managed identity or certificate and document that in the SSP.

Does CMMC require a specific account-lockout threshold?

AC.L2-3.1.8 requires you to limit unsuccessful logon attempts, but the active baseline does not prescribe one universal attempt count or lockout duration. You set the threshold and behavior, document them, and enforce them. This is a related access-control requirement — worth one point — not one of the five password-specific Identification and Authentication requirements.

The mechanics mirror the password controls: the rule leaves the number to you, and the objective is that you defined a limit and your systems enforceit. Note that DoD’s Rev. 3 parameters would prescribe a specific lockout threshold in the future — another FUTURE WATCH item — but under Rev. 2, the count is yours.

Does MFA replace CMMC password requirements?

No — not where passwords remain part of authentication. NIST SP 800-171 Rev. 2 states that 3.5.7 applies to single-factor password authentication and when passwords are used as part of multifactor authenticators. So MFA does not erase the need to define and enforce the applicable password requirements.

MFA under IA.L2-3.5.3 carries a five-point deduction when it isn’t implemented, and a three-point deduction in the limited partial case — either way, above the one-point POA&M ceiling, so it can’t be deferred. It matters enormously, but it doesn’t cancel the password requirements wherever a password is still one of the factors. What MFA doeschange is what’s defensible: NIST SP 800-63B-4 permits shorter (8+) passwords when the password is used only as one factor within MFA. That’s a benchmark, not an automatic CMMC pass. Passwordless designs can change which mechanisms are applicable, but recovery and fallback paths may still use passwords and must be inventoried.

Are password managers allowed under CMMC?

CMMC does not categorically prohibit password managers, and current NIST digital-identity guidance encourages permitting them (including autofill and paste). But no password manager is automatically “CMMC compliant.” You must evaluate its scope, access controls, authentication, recovery, storage and transmission protections, administrative model, and evidence.

Vendors love the phrase “CMMC compliant.” Treat it as a claim to investigate, not a certification category. Here’s the buyer checklist to run:

Question to askWhy it matters
Where is the vault stored and processed?Determines your scope and the service's responsibility
How are secrets protected at rest and in transit?Relevant to 3.5.10 and your broader architecture
Is MFA enforced for vault access?The vault is a high-value credential store
How are admins and emergency access controlled?Prevents one recovery path from bypassing the model
Are shared credentials attributable and controlled?Affects identity, accountability, and access management
What logs and reports are available?Determines evidence quality
What happens offline or during recovery?Exposes fallback paths
Which cryptographic claims are independently documented?Keeps you from relying on a marketing label
Does the tool itself handle or expose CUI?May materially change your scope and other controls

One myth to kill: do not assume every password manager “must be FIPS validated.” Whether a FIPS 140 validation question is even implicated depends on the tool’s function, whether it handles CUI, and which controls you’re relying on it to satisfy. That’s an analysis, not a blanket rule.

How many CMMC points are password controls worth, and can they go on a POA&M?

The five password-specific Level 2 requirements expose nine points of deduction: one point each for 3.5.7, 3.5.8, 3.5.9, and 3.5.11, plus five points for 3.5.10. The one-point requirements can be placed on a POA&M if every 32 CFR 170.21 condition is met. IA.L2-3.5.10 carries a five-point deduction and is not POA&M-eligible.

RequirementDeduction if NOT METLevel 2 POA&M treatment
IA.L2-3.5.71Eligible (conditions apply)
IA.L2-3.5.81Eligible (conditions apply)
IA.L2-3.5.91Eligible (conditions apply)
IA.L2-3.5.105Not eligible
IA.L2-3.5.111Eligible (conditions apply)
Total exposure9Mixed

The conditions that make Conditional Level 2 status possible at all (32 CFR 170.21):

  • At least 88 of 110 (your score divided by total requirements is ≥ 0.8).
  • No item worth more than 1 point on the POA&M. The only Level 2 point-value exception is SC.L2-3.13.11 (CUI encryption) at 3 points if encryption is employed but not FIPS-validated. None of the five password controls qualifies for that exception.
  • The System Security Plan requirement (CA.L2-3.12.4) cannot be on the POA&M — an up-to-date SSP must exist at the time of assessment.
  • A closeout assessment within 180 days of the Conditional CMMC Status Date, or the conditional status expires.

For the record, 32 CFR 170.21 also names six one-point requirements that still can’t be deferred: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. None of the five password controls is on that list, so 3.5.7, 3.5.8, 3.5.9, and 3.5.11 are genuinely POA&M-eligible once you clear the thresholds above. But a POA&M is not evidence that a requirement is met, and it is never the plan for the five-point 3.5.10. ACTIVE REQUIREMENT

One more thing worth knowing: a NOT MET requirement can be re-evaluated during the certification assessment and for 10 business days after the active assessment period, if you can produce additional evidence and the findings report hasn’t been delivered (32 CFR 170.17). So a gap caught at assessment isn’t always fatal — but a five-point, non-deferrable requirement that’s still NOT MET when the result is finalized is.

Are CMMC password assessment results posted in SPRS or eMASS?

It depends on the assessment type.For a CMMC Level 2 self-assessment, your organization enters the result in the Supplier Performance Risk System (SPRS). For a Level 2 certification assessment, the C3PAO enters the result in the CMMC instantiation of eMASS, which transmits your CMMC status to SPRS. The separate DFARS 252.204-7019/-7020 NIST SP 800-171 assessments are a different track. If you’re working out which posting obligation applies, our self-assessment vs. C3PAO guide walks through it.

What evidence will a CMMC assessor examine, interview, and test?

Assessors may examine policies, procedures, SSP statements, and configuration records; interview the people responsible for identity and authenticator management; and test the mechanisms that create, change, store, transmit, and display passwords. The strongest package maps each artifact and test directly to one NIST SP 800-171A objective.

RequirementObjectives to proveStrong evidence
IA.L2-3.5.7Complexity defined; change-of-characters defined; both enforcedApproved policy, SSP statement, domain/IdP/app configs, inherited-control docs, exports/screenshots, a witnessed password-change test
IA.L2-3.5.8History count specified; reuse prevented for that countWritten history value, technical config, an attempted-reuse test
IA.L2-3.5.9Temporary password forces immediate replacementProvisioning procedure, reset workflow, IdP setting, ticket evidence, test-account demo
IA.L2-3.5.10Passwords protected in storage and in transitArchitecture diagrams, vendor docs, protocol/config evidence, hashing details where you own the store, a test or configuration review
IA.L2-3.5.11Authentication feedback obscuredLogin-screen evidence, config docs, an observed test of entry and error feedback

Two operational points that catch teams off guard. First, for a Level 2 certification assessment, evidence artifacts must be hashed with a NIST-approved algorithm and retained for six years from the CMMC Status Date (32 CFR 170.17). Build that into how you store evidence from day one. Second, tests that align to the objectives include: rejecting a password that violates your documented complexity rule; attempting a change that violates the changed-character rule; attempting reuse inside the configured history; logging in with a temporary password and showing the forced replacement; showing protected transport and password-storage design; and showing obscured entry with non-revealing errors.

A word on CUI in evidence: never capture actual password values in any artifact. Minimize CUI in evidence, and handle any CUI-containing artifact only through the assessment team’s approved secure process.

What are the most common CMMC password mistakes?

The most common failure isn’t picking the “wrong” popular number — it’s treating a recommendation as a mandate, or writing a policy the in-scope environment doesn’t actually enforce. The rest come from omitted account types, untested recovery paths, mislabeled requirements, weak storage evidence, and unsupported product-compliance claims.

The checklist to run before a readiness review:

  1. Calling 12 characters the universal CMMC minimum (it's an assessment-guide example).
  2. Calling 15 characters the active universal DoD requirement (it's 63B-4 guidance).
  3. Applying the Rev. 3 parameters as though they control current Level 2 (they don't until rulemaking).
  4. Treating 60- or 90-day rotation as universally required (no universal Rev. 2 interval).
  5. Writing "24-password history" when some in-scope systems enforce only one — or none.
  6. Treating MFA as an exemption from the password controls.
  7. Omitting local, appliance, application, vendor, service, recovery, and break-glass accounts.
  8. Mapping password reuse to 3.5.10 instead of 3.5.8 — an error we found in guidance we reviewed for this article.
  9. Mapping compromised-password screening to Rev. 2's 3.5.9 — that's the temporary-password control; blocklists are a Rev. 3 / 63B-4 concept.
  10. Treating a tool's capability as proof the control operates in your environment.
  11. Failing to separate inherited from customer-managed controls.
  12. Storing credentials in tickets, documents, scripts, spreadsheets, or reversible fields.
  13. Producing screenshots that don't show the effective configuration or scope.
  14. Copying another company's policy without testing your own environment.
  15. Overpromising in the SSP.

What we actually verified —

For this article we read and cross-checked: 32 CFR §§ 170.14, 170.16, 170.17, 170.19, 170.21, and 170.24; NIST SP 800-171 Revision 2 §3.5; NIST SP 800-171A; the CMMC Assessment Guide — Level 2, version 2.13; DFARS 252.204-7012, -7019, -7020, -7021, and -7025; the DoD Procurement Toolbox Cybersecurity FAQ (revision 4, June 13, 2024); Class Deviation 2024-O0013; NIST SP 800-63B-4; DoD’s April 2025 NIST SP 800-171 Revision 3 organization-defined-parameters memorandum; and Microsoft’s Entra ID password documentation. We also reviewed the leading guidance published on this topic in July 2026 and compared how each source labeled the governing version, minimum length, rotation, history, requirement mapping, point value, and POA&M treatment — which is how we identified the mislabeled requirements and blurred source layers noted above. Where a figure is an example, a benchmark, or a future parameter rather than an active requirement, we labeled it that way on purpose.

What should you do next to make your password controls assessment-ready?

Confirm your contract-required CMMC level and assessment scope first, then inventory every in-scope password path before you choose values. Define the values, map each to an enforcement point, resolve unsupported systems, test every objective, update the SSP, and preserve dated evidence before you calculate your score.

  1. Confirm level and scope. Read the solicitation or contract. FCI vs. CUI. Level 2 self-assessment vs. C3PAO. Set your assessment boundary and categorize your assets under 32 CFR 170.19.
  2. Inventory every authentication path. Users, privileged accounts, local accounts, service accounts, applications, appliances, SaaS, recovery, emergency access, vendor support.
  3. Choose and approve your values. Complexity, minimum length, changed-character number, history generations, and any change events or interval you elect.
  4. Map values to enforcement points. GPO, Entra, MDM, SaaS, local policy, application code, vault, appliance.
  5. Resolve mismatches. Change the configuration, narrow the policy language, replace unsupported mechanisms, redesign an account path, or document shared/inherited responsibility. Get qualified advice for applicability or formal equivalency questions.
  6. Test each objective— not just “can the user log in,” but the precise define-and-enforce objective.
  7. Update the SSP and evidence index.Record requirement, implementation, owner, system, evidence, test result, date, residual gap, and the score/POA&M consequence.

Most teams can self-serve steps 1 through 4 in a week of focused work. Steps 5 through 7 are where scale, provider access, and evidence volume decide whether you finish in-house or bring in help.

If you’re closing gaps against a real deadline

Password controls rarely fail in isolation — they surface during a gap assessment, an SSP build, or C3PAO prep, alongside MFA, logging, and encryption. If you’ve found gaps and Phase 2’s November 10, 2026 timeline is on your mind, the honest question isn’t “which vendor,” it’s “which category of help fits your situation.” OUR EDITORIAL CALL For readiness and remediation, that’s often an RPO or a CMMC-focused MSP/MSSP; for evidence workflows, a GRC platform is a supporting layer, not the whole solution. And note the independence rule: under 32 CFR 170.8, a CMMC ecosystem member cannot provide your Level 2 certification assessment if it prepared you as a consultant within the previous three years.

Tell us your level, scope, identity environment, assessment type, and timeline, and The Defense Compliance Report’s Find My CMMC Path tool maps those facts to a provider category — not a named-provider score, ranking, or compliance guarantee.

Provider matching may generate referral or lead-routing compensation; any relationship is disclosed at the point of recommendation. Do not submit CUI, drawings, passwords, account details, system diagrams, or sensitive contract information.

Frequently asked questions

What is the minimum password length for CMMC Level 2?
The active CMMC Level 2 baseline does not state one universal minimum length. Under NIST SP 800-171 Rev. 2 requirement 3.5.7, your organization defines and enforces its minimum password complexity, including any minimum length it sets. The CMMC Assessment Guide — Level 2 mentions 12 characters as an example, not a universal mandate.
Does CMMC require 12-character passwords?
No. Twelve characters appears as a Potential Assessment Considerations example in the CMMC Assessment Guide — Level 2, version 2.13. The same guidance states that minimum complexity requirements are left to the organization to define, so 12 is an example rather than a rule.
Does CMMC require 15-character passwords?
Not as a current universal Level 2 requirement. Fifteen characters is the NIST SP 800-63B-4 minimum for single-factor passwords, but current CMMC Level 2 maps to NIST SP 800-171 Revision 2, which does not adopt that figure. It's a strong benchmark to justify your policy, not a CMMC mandate.
Does CMMC require 16-character passwords?
Not under the current CMMC Level 2 rule. Sixteen characters is DoD's published organization-defined parameter for NIST SP 800-171 Revision 3 (ODP 03.05.07.f), while 32 CFR 170.14(c)(3) still maps current Level 2 to Revision 2. Treat it as a future-baseline item, not today's requirement.
Does CMMC require password changes every 90 days?
No universal 90-day interval exists in the active Level 2 requirements. Temporary passwords must be changed immediately (3.5.9), and your defined change-of-characters and history rules apply whenever passwords change. Any periodic interval is an organizational choice, and current NIST guidance discourages arbitrary rotation.
How many old passwords must CMMC remember?
CMMC does not set one universal number. Requirement 3.5.8 requires reuse to be prohibited for a specified number of generations, and NIST SP 800-171A tests whether you specified that number and technically enforce it. Twenty-four is a common default but is not mandated.
Does CMMC require a breached-password blocklist?
Not under the active NIST SP 800-171 Revision 2 password requirements. NIST SP 800-63B-4 requires blocklist screening as modern guidance, and DoD's Revision 3 parameters build it into "Password Management," but neither is the current universal CMMC Level 2 rule. It's a defensible enhancement to adopt now, not a requirement assessors score against 3.5.7–3.5.11 today.
Does CMMC require uppercase, lowercase, numbers, and symbols?
Requirement 3.5.7 requires minimum password complexity, and the assessment guide discusses character types, but you must state and enforce your own organization-defined complexity baseline. Don't convert an example character formula into an unsupported universal mandate in your SSP.
Does MFA replace CMMC password requirements?
No, wherever passwords remain part of authentication. NIST SP 800-171 Rev. 2 states that 3.5.7 applies to single-factor password authentication and when passwords are used as part of multifactor authenticators. MFA (3.5.3) is a separate, required control.
Can a passwordless environment avoid the password controls?
Possibly for a specific mechanism with no password, but not automatically for the whole assessment scope. Recovery, bootstrap, break-glass, local, application, appliance, and service-account paths may still use passwords and must be assessed individually.
Can Microsoft Entra ID meet CMMC password requirements?
Entra ID provides important identity protections, but its cloud-only core password policy is largely predefined (an 8-character minimum, with stricter enforcement typically requiring hybrid accounts that inherit Active Directory policy or password writeback). Whether the objectives are MET depends on your tenant architecture, inherited versus customer-managed responsibilities, remaining password paths, policy wording, and evidence.
Are password managers CMMC compliant?
CMMC does not certify a password-manager product as universally compliant, and "CMMC compliant" is a marketing claim to investigate. Current NIST digital-identity guidance permits password managers and autofill, but you must evaluate the specific tool's scope, authentication, recovery, storage and transmission protections, administration, and evidence.
Must a CMMC password manager be FIPS validated?
Not as a blanket rule. Whether a FIPS 140 validation question is implicated depends on the tool's function, whether it handles CUI, and which controls you rely on it to satisfy — so it's an analysis, not an automatic requirement.
Can a password requirement go on a POA&M?
The one-point password controls (3.5.7, 3.5.8, 3.5.9, 3.5.11) can be POA&M-eligible if all 32 CFR 170.21 conditions are met, including an overall score of at least 88 and a 180-day closeout. IA.L2-3.5.10 carries a five-point deduction and is not eligible for the Level 2 POA&M path.
What does "change of characters" mean in 3.5.7?
It refers to the number of character positions that must differ when an existing password is changed, relative to the total length. Your organization defines that number, and 3.5.7 requires you to enforce it when a new password replaces an old one.
What evidence should I keep for CMMC password controls?
Keep the approved policy, SSP implementation statements, effective configuration exports, identity and application architecture, inherited-control documentation, test results, relevant logs, and a mapping that ties each artifact to the applicable NIST SP 800-171A objective. For certification assessments, evidence artifacts must be hashed and retained for six years from the CMMC Status Date. Never store actual password values as evidence.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get Matched by Level, Scope, and Timeline →

Do not submit CUI, drawings, passwords, system credentials, detailed network diagrams, or sensitive contract information.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Educational disclaimer:This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm contractual applicability and assessment scope with a qualified CMMC Registered Practitioner or Registered Provider Organization and, where appropriate, a qualified federal-contracts attorney. The solicitation or contract and the information you handle — not a website checklist — determine your required CMMC level.

Primary and official sources