← Back to catalog
AC-2(3)

Disable Accounts

Access Control (AC)
Baselines
Low · Not includedModerate · IncludedHigh · Included
Description

Disable accounts within [assignment] when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for [assignment].

Discussion

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

Implementation guidance

No content available.

CSF 2.0 crosswalk

No CSF mappings exist for this control.