CMMC Requirement IA.L2-3.5.6 – Identifier Handling: Disable identifiers after a defined period of inactivity.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article from infosecurity magazine, describes the importance of securing inactive user accounts. This document along with the comments section list Unix scripts that can be used to automatically terminate user sessions. This webpage discusses how to regularly check for and remove inactive user accounts in Microsoft Active Directory. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss how inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. Let’s talk about NIST 800-171 Control 3.5.6 Disable identifiers after a defined period of inactivity.
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.
Further Discussion
Identifiers are uniquely associated with an individual, account, process, or device. An inactive identifier is one that has not been used for a defined extended period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary, it should be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer needed yet still active could allow an adversary to exploit IT services.