Turn Password Requirements Into Working Controls
For organizations moving toward CMMC Level 2 compliance, password security cannot live only in a policy document. It needs to show up in the way passwords are created, changed, screened, and monitored every day. Beginning November 10, 2026, DoD’s rollout enters Phase 2, when DoD intends to include Level 2 (C3PAO) requirements in applicable solicitations and contracts as a condition of contract award, making third-party certification increasingly important for contractors that handle CUI. That is why the password side of cybersecurity compliance deserves focused attention, and why Enzoic for Active Directory is especially relevant for teams preparing for Level 2.
As organizations move from Level 1 to Level 2, they are not leaving the basics behind. They are building on them. One of those basics is authentication itself.
Level 1 requirement
“Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”
That expectation still sits underneath the move to Level 2. If a password is easy to guess, already exposed, or built from predictable patterns, the authentication process is already starting from a weaker position. Enzoic helps strengthen that foundation by keeping unsafe passwords out of the environment before they can be used. For organizations paying closer attention to compromised Active Directory credentials and stronger password breach monitoring, that is a practical place to start.
Level 2 gets more specific about how password controls should work in practice. It is not just about having a policy. It is about enforcing it when users create or change passwords.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
| CMMC Level 2 Requirement | Where Standard AD Password Policy Alone Leaves Gaps | Where Enzoic Adds Value |
|---|---|---|
| 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created |
Standard AD password policy does not natively screen new passwords against known breached-password data, custom banned terms, or password similarity patterns. It also offers limited control for enforcing meaningful character changes between old and new passwords. | Enzoic screens password changes and resets against exposed-password data, banned terms, and similarity or root-password patterns, making password creation controls more enforceable in practice. It also allows organizations to define a minimum distance between old and new passwords, directly supporting this requirement. |
| 3.5.8 Prohibit password reuse for a specified number of generations |
Password history alone may not stop near-reuse, such as minor digit changes, case-only changes, leetspeak substitutions, or reuse of the same root password with slight variation. | Enzoic adds similarity blocking, normalization, and root-password screening to reduce superficial reuse that can slip past basic history-based controls. |
| 3.5.9 Allow temporary password use for system logons with an immediate password change to a permanent password |
Standard AD password policy does not natively evaluate whether the permanent password chosen during a first-logon reset or administrator-initiated reset is compromised, predictable, or too similar to the prior password. | Enzoic screens the replacement password during change and reset events, helping ensure the new permanent password is stronger in practice. |
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Enzoic allows organizations to apply configurable password complexity rules, and block choices that are already compromised or obviously predictable. For teams aligning password policy with current best practices, NIST password compliance and exposed password screening are closely related parts of the same conversation.
Level 2 also addresses password reuse directly. That matters because a strong password policy is not only about what a new password looks like. It is also about whether users can cycle back to earlier passwords too easily. Because CMMC Level 2 requirements are identical to NIST SP 800-171 Rev. 2, 3.5.8 is part of that same Level 2 control set.
That is where Enzoic can add useful protection around password changes. Enzoic’s Password Similarity Blocking feature lets administrators set a minimum required distance between the old and new password, Normalize Password First removes case-only and common leetspeak substitutions before comparison, and Screen Root Passwords helps catch predictable patterns such as adding or changing digits and symbols around the same root password. Enforcing a minimum change of characters when new passwords are created is not something that can be natively in Active Directory.
There is another short line in the Level 2 guidance that is just as important in practice.
Level 2 guidance
“Enforce these rules for all passwords.”
That is where consistency becomes so important. A password policy may look strong on paper, but the real test is whether the same standard is applied every time a password changes. Enzoic helps make that consistency easier by reducing superficial password variations, screening business-specific terms and user-derived strings, and making it harder for attackers to benefit from the behaviors behind the consequences of password reuse and other credential-based attacks.
Level 2 readiness is not just about stopping one weak password at one moment in time. A password that looked safe when it was created can become a problem later if it shows up in new breach data or credential collections. That is why continuous password protection for Active Directory is so valuable. It gives organizations a way to keep evaluating password risk after the initial set or reset event.
That ongoing visibility matters in a threat environment increasingly shaped by compromised credentials and broader identity and credential risk. Enzoic helps teams move from one-time password checks to a more durable control, one that can identify newly exposed credentials and support faster remediation before they become an access problem.
Most organizations pursuing Level 2 do not operate in a single password environment. They also have custom applications, IAM workflows, partner portals, and customer-facing systems where password risk still shows up. That is where credential screening APIs and IAM credential screening become valuable. They make it possible to apply the same exposure-aware approach in more places than just a domain password change screen.
For organizations that also need protection in internet-facing login flows, account takeover protection extends that same thinking to credential-based attacks targeting external accounts. The result is a more consistent password and credential strategy across the broader environment.
CMMC is enforced through the contract process, not just through internal policy. The CMMC program rule in 32 CFR Part 170 became effective on December 16, 2024, but the contractual enforcement timeline started on November 10, 2025, when the revised DFARS rule became effective for applicable procurements.
That date started Phase 1 of DoD’s rollout, and DoD has said the first 12 months, from November 10, 2025 through November 9, 2026, are focused primarily on Level 1 and Level 2 self-assessments. Beginning November 10, 2026, Phase 2 starts. At that point, DoD intends to include Level 2 (C3PAO) requirements in applicable solicitations and contracts as a condition of contract award, so more contractors handling CUI will need a current Level 2 third-party assessment in SPRS before they can win new work. That does not mean every DoD solicitation changes overnight, but it does mean third-party Level 2 certification becomes a standard pre-award gate in a growing share of applicable procurements. Once a solicitation includes a required CMMC level, the government checks SPRS before award. If the required current status is not there, the offeror is not eligible for award.
The same expectations continue after award. Contractors are required to maintain current CMMC status at the required level throughout the life of the contract, and they may only process, store, or transmit FCI or CUI on systems that have the required status for that work. Annual affirmations also have to stay current. If they do not, the assessment can lapse. For Level 2 specifically, the rollout is phased, so broader use of Level 2 C3PAO requirements expands over time rather than all at once, even though DoD can require a Level 2 C3PAO assessment in some Phase 1 solicitations.
There are practical consequences to falling behind. Contracting officers also check SPRS before exercising an option or extending a period of performance, so a contractor that lets its status or affirmations go stale can put follow-on work, renewals, or contract extensions at risk. If an organization is operating with a conditional Level 2 status, the valid POA&M also has to be closed within 180 days to reach final status.
Those obligations do not stop at the prime. If subcontractors or suppliers will process, store, or transmit flowed-down FCI or CUI, the required CMMC level and ongoing affirmation obligations follow them too. That makes password control maturity important not only for the organization seeking Level 2, but also for the broader partner ecosystem supporting the contract.
For teams that want a practical starting point, a free password auditor for AD can provide fast visibility into compromised, weak, or reused passwords already present in the environment. That baseline makes it easier to prioritize remediation and understand where password risk is already concentrated.
From there, Enzoic for Active Directory helps organizations move from visibility to enforcement by screening passwords when they are created, strengthening password changes, monitoring for newly exposed credentials, and extending the same credential intelligence across Active Directory. For other applications, Enzoic’s APIs offer a flexible and easy way to insert the same intelligence into any login flow.
CMMC Level 2 raises the bar because it expects password controls to work in practice. Enzoic helps organizations meet that moment by turning password requirements into day-to-day operational controls, helping security teams reduce exposure, strengthen authentication, and build a password program that is easier to maintain and easier to defend.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. He has a lifelong interest in digital innovation and how it can be used to protect individuals and organizations from ever-evolving cyber threats. A strong believer in giving back to the community, Joshua serves as a mentor to those interested in information security and sales through his alma mater, the University of Michigan. Outside of work, he can usually be found at the nearest bookstore or exploring the city’s local coffee scene.