CMMC Practice IA.L2-3.5.6 – Identifier Handling: Disable identifiers after a defined period of inactivity.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article from infosecurity magazine, describes the importance of securing inactive user accounts. This webpage discusses how to regularly check for and remove inactive user accounts in Microsoft Active Directory. This documentation from Red Hat, provides an administrator step by step instructions for configuring a lockout policy based on inactivity. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss how inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. Let’s talk about NIST 800-171 Control 3.5.6 Disable identifiers after a defined period of inactivity.
Discussion [NIST SP 800-171 R2]
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.
Further Discussion
Identifiers are uniquely associated with an individual, account, process, or device. An inactive identifier is one that has not been used for a defined extended period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary, it should be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer needed yet still active could allow an adversary to exploit IT services.