AC-2 (3) - Disable Accounts
Control requirements
AC-2 (3) (a)
Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Have expired.
AC-2 (3) (b)
Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Are no longer associated with a user or individual.
AC-2 (3) (c)
Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Are in violation of organizational policy.
AC-2 (3) (d)
Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Have been inactive for [IBM Assignment: ninety (90) days].
NIST supplemental guidance
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.