Navigate

AC-2(13)

AC-2(13): Disable Accounts for High-risk Individuals

Disable accounts of individuals within [time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;] of discovery of [significant risks leading to disabling accounts are defined;].

Supplemental

Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-2(13).

Control	Description
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Control

Description

AU-6

a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity;

b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and

c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

SI-4

a: Monitor the system to detect:
- 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and
- 2: Unauthorized local, network, and remote connections;

b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;];

c: Invoke internal monitoring capabilities or deploy monitoring devices:
- 1: Strategically within the system to collect organization-determined essential information; and
- 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d: Analyze detected events and anomalies;

e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

f: Obtain legal opinion regarding system monitoring activities; and

g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Enhancements

The controls below (if any) add on to the requirements of AC-2(13).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-2(13).

CCI	Definition
CCI-002150	Defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk.
CCI-002151	Disable accounts of individuals within an organization-defined time-period of discovery of organization-defined significant risk.
CCI-003637	Defines the significant risks that may be discovered requiring disabled accounts of individuals.