IA.3.086

Control Acronym

IA

Family

Identification And Authentication

CMMC Level

3

800-171 Control #

3.5.6

CMMC Description

Disable identifiers after a defined period of inactivity.

CMMC Clarification

Identifiers are uniquely associated with an individual, group, role or device. An inactive identifier is one that has not been used for a certain period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary it should be disabled and marked for deletion based on policy. Failure to maintain awareness of accounts that are no longer needed yet still active could be used by an adversary to exploit IT services. Example You are the IT manager responsible for enforcing your company’s inactive account policy: any account that has not been used in the last 45 days must be deleted. You decide to do this by writing a script that runs once a day to check the last login date for each account and generates a report of the accounts with no login records for the last 45 days. After reviewing the report, you notify the employee’s supervisor and delete the account.

800-171 Description

Disable identifiers after a defined period of inactivity.

800-171 Discussion

Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 16.9, 16.10, 16.11

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.6

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

IA.3.086.[a] a period of inactivity after which an identifier is disabled is defined; and

Assessment Sub-Criteria 2

IA.3.086.[b] identifiers are disabled after the defined period of inactivity.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15