Level 5 CMMC - CMMC Practices

IA.3.086  

Reference: CMMC 1.02

Family: IA

Level Introduced: 3

Practice:
Disable identifiers after a defined period of inactivity.

CMMC Clarification:
Identifiers are uniquely associated with an individual, group, role or device. An inactive identifier is one that has not been used for a certain period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary it should be disabled and marked for deletion based on policy. Failure to maintain awareness of accounts that are no longer needed yet still active could be used by an adversary to exploit IT services.

Example
You are the IT manager responsible for enforcing your company’s inactive account policy: any account that has not been used in the last 45 days must be deleted. You decide to do this by writing a script that runs once a day to check the last login date for each account and generates a report of the accounts with no login records for the last 45 days. After reviewing the report, you notify the employee’s supervisor and delete the account.

3.5.6

Disable identifiers after a defined period of inactivity.

Discussion:
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.

Source: NIST Special Publication 800-171 Rev. 2

IA-4

IDENTIFIER MANAGEMENT

Description:
The organization manages information system identifiers by:
    a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
    b. Selecting an identifier that identifies an individual, group, role, or device;
    c. Assigning the identifier to the intended individual, group, role, or device;
    d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
    e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

Supplemental Guidance:
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02