Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.5 – Prevent the reuse of identifiers for a defined period.
Understanding the Requirement
This control requires that organizations define a retention period during which any identifier (usernames, group names, role names, device names, etc.) that has been decommissioned cannot be reassigned to a different entity, and that reuse is actively prevented during that period. The goal is to avoid confusion and attribution problems caused by recycling identifiers shortly after they were used; implementing this control means documenting the retention period and enforcing technical and process controls so that identifiers remain unique for that time.
Technical Implementation
-
Create a written Identifier Reuse Policy that specifies the non-reuse period (common choices: 6–24 months; many SMBs choose 12 months). Publish the policy in your IAM (Identity and Access Management) controls and the IT security policy library so HR, help desk, and system owners know the rule.
-
Implement an account lifecycle process: disable accounts at termination, mark them as “retained” for the defined period, and only delete or recycle after the retention period expires. For SMBs without full IAM tooling, use a shared spreadsheet or simple database with a timestamp and status field to track retention windows.
-
Enforce reuse prevention in provisioning systems. Add a check to your account creation workflow (AD, Azure AD, cloud IAM, or even help-desk onboarding templates) that rejects requested identifiers if they appear in the identifier history table and are still inside the retention window.
-
Reserve identifiers for systems and groups similarly: when decommissioning servers, network devices, or groups, record their identifiers and block reuse for the same retention period. Integrate this into asset inventory and CMDB entries so decommissioned names are visible to provisioning staff.
-
Log and audit identifier assignments. Keep an auditable record showing who created or reassigned an identifier and when. Schedule periodic reviews (quarterly or semiannually) to ensure the retention list is current and the automation checks are functioning.
-
Train HR and the help desk to follow the policy: require new-user requests to propose distinct usernames rather than reassigning a prior user’s identifier, and include a field in exit checklists to flag identifiers for the retention list.
Example in a Small or Medium Business
Acme Engineering terminates an employee, Maria Lopez, whose username is mlopez. The IT admin disables mlopez immediately and changes the account status in the asset inventory to “retained – 12 months.” The help desk provisioning script now rejects any attempt to create a new account using mlopez while the retention flag is active. When Maria’s replacement is hired three weeks later, HR requests a new account and the administrator creates mlopez2 instead of recycling the old identifier. Network device names retired during a hardware refresh are entered into the same retention table so those device names are also blocked. Six months later an auditor reviews the identifier log and finds clear records showing the original mlopez account, the disable date, and the retention expiration date—there’s no ambiguity about who performed actions earlier. If, after 12 months, business needs justify reclaiming an identifier, the IT manager follows a documented approval process that includes risk assessment and explicit sign-off before reassigning the name. This approach avoids mistaken attribution in logs and reduces help-desk confusion when addressing historical incidents tied to an identifier.
Summary
Defining a clear non-reuse period and enforcing it through policy, lifecycle processes, simple tracking (or IAM automation where available), and auditing will prevent identifiers from being reassigned prematurely. For SMBs a pragmatic mix of a written policy, disabled-but-retained account handling, provisioning checks, and periodic review delivers the control objective: unique, attributable identifiers for the defined period so investigation and accountability remain reliable.
