Disable identifiers after a defined period of inactivity
π What This Means
This control requires organizations to automatically disable user accounts after a set period of inactivity (e.g., 90 days). It's like turning off unused lights to save energyβexcept here, you're shutting down potential entry points for attackers. For example, if an employee leaves the company but their account remains active, hackers could exploit it. Another scenario: a contractor's temporary account stays enabled long after their project ends. The goal is to minimize 'zombie accounts' that no one monitors but could be compromised.
π― Why It Matters
Dormant accounts are low-hanging fruit for attackers. The 2023 Verizon DBIR found that 60% of breaches involved credential abuse. In 2021, a defense contractor suffered a breach when an ex-employee's unused account was hijacked to steal sensitive DoD designs. The cleanup cost exceeded $500K. From the DoD's perspective, this control prevents 'ghost access'βwhere old credentials linger in systems handling CUI. It's especially critical for contractors with high staff turnover or temporary workers.
β How to Implement
- Azure: Set inactivity thresholds in Entra ID (formerly Azure AD) under Users > All users > Account disablement policy
- AWS: Configure IAM credential reports with Lambda to flag unused accounts (use 'password_last_used' field)
- GCP: Create Organization Policy constraints for IAM with 'constraints/iam.disableServiceAccountKeyCreation'
- Use CIEM tools like Sonrai or Orca to detect stale identities across multi-cloud environments
- Document the policy in your SSP (e.g., 'All cloud accounts inactive >90 days will be disabled')
π Evidence Examples
Account Disablement Policy
AD/LDAP Configuration Screenshot
Monthly Inactivity Report
SIEM Alert Log
Exception Request Forms
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For IA.L2-3.5.6 ("Disable identifiers after a defined period of inactivity"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how users, devices, and processes are identified and authenticated, including your IAM platform, password policies, MFA implementation, certificate management, and service account controls. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"IA.L2-3.5.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to disable identifiers after a defined period of inactivity. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"IA.L2-3.5.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to disable identifiers after a defined period of inactivity. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"IA.L2-3.5.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all authentication entry points (local login, VPN, cloud, API)
- β’ Document the identity provider(s) and authentication flow
- β’ Specify MFA methods and coverage
- β’ Ensure this control covers all systems within your defined CUI boundary where disable identifiers after a defined period of inactivity applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Identification and Authentication Policy
- π Password policy configuration
- π MFA enrollment records
- π Service account registry
- π Evidence artifacts specific to IA.L2-3.5.6
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will test authentication mechanisms, verify MFA is enforced for required access paths, check password policy configuration, and review service account documentation.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a written policy defining the inactivity period before account disablement?
Question 2: Can your systems automatically identify accounts inactive beyond the threshold?
Question 3: Are disablement actions logged with timestamp and approving authority?
Question 4: Do you review exceptions quarterly?
Question 5: Is the inactivity period enforced consistently across cloud/on-premise?
β οΈ Common Mistakes (What Auditors Flag)
1. Ignoring service accounts
2. Inconsistent thresholds
3. No disablement logs
4. Forgetting contractors
5. Testing only happy path
π Parent Policy
This practice is governed by the Identification and Authentication Policy