IBM Cloud Docs
AC-2 (3) - Disable Accounts

AC-2 (3) - Disable Accounts

Control requirements

AC-2 (3) (a)

Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Have expired.

AC-2 (3) (b)

Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Are no longer associated with a user or individual.

AC-2 (3) (c)

Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Are in violation of organizational policy.

AC-2 (3) (d)

Disable accounts within [IBM Assignment: 24 hours for user accounts] when the accounts: Have been inactive for [IBM Assignment: ninety (90) days].

NIST supplemental guidance

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.