← Back to catalog
AC-2(3)
Disable Accounts
Access Control (AC)
Baselines
Low · Not includedModerate · IncludedHigh · Included
Description
Disable accounts within [assignment] when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for [assignment].
Discussion
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
Implementation guidance
No content available.
CSF 2.0 crosswalk
No CSF mappings exist for this control.