AC-2(3): Disable Accounts

Control Family:

Access Control

Parent Control:

AC-2: Account Management

CSF v1.1 References:

PR.AC-4
DE.CM-3

Threats Addressed:

Spoofing
Repudiation

Baselines:

Moderate
High

Previous Version:

NIST Special Publication 800-53 Revision 4:
AC-2(3): Disable Inactive Accounts

Control Statement

Disable accounts within [Assignment: organization-defined time period] when the accounts:

Have expired;
Are no longer associated with a user or individual;
Are in violation of organizational policy; or
Have been inactive for [Assignment: organization-defined time period].

Supplemental Guidance

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 8

Critical Security Controls Version 7.1