Requirement text: IA.3.086: Disable identifiers after a defined period of inactivity.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Inactive identifiers pose a risk to organizational information because attackers may exploit
an inactive identifier to gain undetected access to organizational devices. The owners of the
inactive accounts may not notice if unauthorized access to the account has been obtained.
CMMC CLARIFICATION
Identifiers are uniquely associated with an individual, group, role or device. An inactive
identifier is one that has not been used for a certain period of time. For example, a user
account may be needed for a certain time to allow for transition of business processes to
existing or new staff. Once use of the identifier is no longer necessary it should be disabled
and marked for deletion based on policy. Failure to maintain awareness of accounts that are
no longer needed yet still active could be used by an adversary to exploit IT services.
Example
You are the IT manager responsible for enforcing your company’s inactive account policy:
any account that has not been used in the last 45 days must be deleted. You decide to do
this by writing a script that runs once a day to check the last login date for each account and
generates a report of the accounts with no login records for the last 45 days. After reviewing
the report, you notify the employee’s supervisor and delete the account.
References
• NIST SP 800-171 Rev 1 3.5.6
• CIS Controls v7.1 16.9, 16.10, 16.11
• NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7
• NIST SP 800-53 Rev 4 IA-4