NIST SP 800-171 Rev 2 practice 3.5.5 requires organizations to prevent the reuse of identifiers for a defined period after those identifiers have been retired, disabled, or deleted. An identifier is any label that uniquely distinguishes a user, device, or process within an information system — most commonly a username or account name. The organization must first document the reuse-prevention period (e.g., 365 days, indefinitely) in policy, and then enforce that period through technical controls in directory services or identity and access management (IAM) platforms. This practice is grounded in NIST SP 800-171 §3.5, which governs all identification and authentication requirements for protecting Controlled Unclassified Information (CUI). The underlying rationale is that recycling an identifier can inadvertently transfer permissions, audit history, or access assumptions associated with the prior user to a new individual, breaking the principle of individual accountability.
Where it stops · what it isn't
- —This practice does not govern password reuse — password history controls are addressed under separate credential management practices.
- —This practice does not address authentication strength or multi-factor requirements, which are covered under IA-L2-3.5.3.
- —This practice does not require the permanent deletion of identifier records; retention of the record for audit purposes while preventing reassignment is acceptable.
- —This practice does not govern the reuse of group or shared identifiers — those are prohibited outright under IA-L2-3.5.1, not merely delayed.
- —Physical access badge IDs or facility access numbers are not in scope unless directly tied to logical system identifiers.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/identification-and-authentication