AC-2(3)
-
Requirement
Disable accounts within [Assignment: organization-defined time period] when the accounts:
- Have expired;
- Are no longer associated with a user or individual;
- Are in violation of organizational policy; or
- Have been inactive for [Assignment: organization-defined time period].
-
Discussion
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
NIST 800-53A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!