AC-2(3): Disable Accounts

Control Family:

Access Control

CSF v1.1 References:

Threats Addressed:


  • Moderate
  • High

Previous Version:

Control Statement

Disable accounts within [Assignment: organization-defined time period] when the accounts:

  1. Have expired;
  2. Are no longer associated with a user or individual;
  3. Are in violation of organizational policy; or
  4. Have been inactive for [Assignment: organization-defined time period].

Supplemental Guidance

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.