Access Control

What are your CMMC password requirements?

We explain your cybersecurity maturity model certification (CMMC) password requirements.

Join our newsletter:
The new cybersecurity maturity model certification (CMMC) model does not mention specific password length, complexity, password history, or password renewal requirements. To play it safe we recommend that you adhere to the password recommendations from the Center for Internet Security (CIS).

Center for Internet Security (CIS) Password Recommendations

  • 10 character minimum length
  • Password complexity: uppercase letters, lowercase letters, numbers, and symbols
  • Change passwords at least every 60 days
  • Prevent the reuse of the past 24 passwords
  • Set the minimum password age to one day (so that users can’t change their password 24 times to reuse their old password)
  • Set account login thresholds to 10 or fewer invalid login attempts. (Keep in mind that the fewer attempts you allow the more password related issues your users will have.)
  • Change default passwords on accounts when setting up new equipment.
  • If a user accesses several accounts, require them to use a separate password for each.
  • Do not allow the use of names, user account names, or other personal information in passwords.
  • Store all passwords using strong salting and hashing functions.
  • Do not store passwords using reversible encryption.
  • Train users to use separate passwords for work and personal accounts.

Finding the Right Balance

If you make your password requirements too stringent you will experience an increase in password “issues”. This means more password-related tickets and less productivity. If you have weak password requirements you are setting yourself up to be an easy target for attackers. Even NIST has eased its stance on password after research showed that too stringent password requirements negatively impact security.
When it comes to password requirements, find a middle ground that works best for your company's culture and the capabilities of your employees.


  • CMMC does not mention specific password length, complexity, or reset requirements. Your company should decide on them.
  • You can not go wrong with password recommendations from the Center for Internet Security.
  • C009: Identify and protect audit information
  • Before implementing password requirements, think about how they will impact security and productivity.
  • If you found this information useful and want to learn more about CMMC reach out to us at info[@]

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.