CMMC 1.0 Practice IA.3.086 Requirement:
Disable identifiers after a defined period of inactivity.
CMMC 1.0 IA.3.086 Requirement Explanation:
Accounts that have not been logged into for a certain period of time (90 days) may no longer be needed. Leaving them open increases your attack surface, as a result, all accounts that have been inactive for a defined period should be disabled.
Example CMMC 1.0 IA.3.086 Implementation:
Create a policy requiring you to disable accounts after a period of inactivity (e.g., 90 days) . You can manually do this however in a large organizations with hundreds or thousands of accounts use of an automated tool may be justified. If you use active directory to manage your user accounts you can create a script to automatically disable inactive accounts.
CMMC 1.0 IA.3.086 Scenario(s):
- Scenario 1:
Your company policy requires that accounts that are inactive for 90 days must be disabled. To enforce this policy you write a script automatically disabling inactive user accounts.
Discover Our Cybersecurity Complaince Solutions:
NIST SP 800-171 & CMMC Compliance
Whether you need to meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements, help your clients meet them, or verify sub-contractor compliance we have the expertise and solution for you.
Whether you need to meet and maintain your HIPAA compliance requirements or help your clients meet them we have the expertise and solution for you.