Navigate

AC-2(3)

AC-2(3): Disable Accounts

Disable accounts within [time period within which to disable accounts is defined;] when the accounts:

(a): Have expired;

(b): Are no longer associated with a user or individual;

(c): Are in violation of organizational policy; or

(d): Have been inactive for [time period for account inactivity before disabling is defined;].

Supplemental

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

CIA Levels
Confidentiality	moderate
Integrity	moderate
Availability	unknown

Overlays
CMMC, Int-A, Int-B, Int-C, Privacy (high), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-2(3).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of AC-2(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-2(3).

CCI	Definition
CCI-000017	Disable accounts when the accounts have been inactive for the organization-defined time-period.
CCI-000217	Defines a time period after which inactive accounts are automatically disabled.
CCI-003627	Disable accounts when the accounts have expired.
CCI-003628	Disable accounts when the accounts are no longer associated to a user.
CCI-003629	Disable accounts when the accounts are in violation of organizational policy.