CMMC Practice IA.L2-3.5.6 – Identifier Handling: Disable identifiers after a defined period of inactivity.
Links to Publicly Available Resources
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Identifiers are uniquely associated with an individual, group, role or device. An inactive identifier is one that has not been used for a certain period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary it should be disabled and marked for deletion based on policy. Failure to maintain awareness of accounts that are no longer needed yet still active could be used by an adversary to exploit IT services.