Reference: CMMC 1.02
Level Introduced: 3
Prevent the reuse of identifiers for a defined period.
Identifiers uniquely associate a user ID to an individual, group, role or device. Establish guidelines and implement mechanisms to prevent identifiers from being reused for the period of time established by the organization in the policy.
As the IT administrator for your organization you maintain a central directory/domain that holds user accounts and computers within the organization. As part of your job you issue unique usernames (email@example.com) for the staff to access resources. When you issue staff computers you also rename the computer to reflect to whom it is assigned (joe-laptop01). Joe has recently left the organization so you must manage the former staff memberâ€™s account. Incidentally, the replacement is also named Joe. In the directory you do not assign the previous account to the new user. You create an account called joe02. This account is assigned the appropriate permissions for the new user. A new laptop is also provided with the identifier of joe02-laptop01.
Prevent reuse of identifiers for a defined period.
Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37.