AC-2.3: Disable Accounts

Statement

• Disable accounts within time period when the accounts:

  • (a)

    Have expired;

  • (b)

    Are no longer associated with a user or individual;

  • (c)

    Are in violation of organizational policy; or

  • (d)

    Have been inactive for time period .

  • • Requirement:

      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

    • (d) Requirement:

      The service provider defines the time period of inactivity for device identifiers.

    • Guidance:

      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.