CMMC Practice Requirement:
Disable identifiers after a defined period of inactivity.
CMMC Requirement Explanation:
Accounts that have not been logged into for a certain period of time (90 days) may no longer be needed. Leaving them open increases your attack surface, as a result, all accounts that have been inactive for a defined period should be disabled.
Example CMMC Implementation:
Create a policy requiring you to disable accounts after a period of inactivity (e.g., 90 days) . You can manually do this however in a large organizations with hundreds or thousands of accounts use of an automated tool may be justified. If you use active directory to manage your user accounts you can create a script to automatically disable inactive accounts.
- Scenario 1:
Your company policy requires that accounts that are inactive for 90 days must be disabled. To enforce this policy you write a script automatically disabling inactive user accounts.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance