Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system automatically disables inactive accounts after [FedRAMP Assignment: (L)(M) 90 days for user accounts; (H) 35 days for user accounts].
AC-2 (3) Additional FedRAMP Requirements and Guidance: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
38North Guidance:
Meets Minimum Requirement:
Automated mechanisms to automatically disable inactive accounts after the organization-defined time period. FedRAMP requires 90 days for moderate systems and 35 days for high systems.
Best Practice:
Ensure that automated mechanisms disable inactive accounts based on the FedRAMP moderate or high parameters.
This can be configured via Active Directory or creating scripts that are set to automatically run daily to check for inactive accounts and then automatically report to AD or other directory services, such as IAM.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Export of scripts demonstrating automatically disabling accounts after 90 days of inactivity for moderate systems & 35 days for high systems.
Screenshots of configurations within Active Directory that demonstrates the disabling of accounts within the 90 days of inactivity for moderate systems & 35 days for high systems.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse