Skip to content
ATO Pathways
  Log In

CCI-000795

The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Logo
22

Rule

Severity: Medium
Set Account Expiration Following Inactivity
Logo
9

Rule

Severity: Medium
Set existing passwords a period of inactivity before they been locked
Logo
2

Rule

Severity: Medium
Set Account Expiration Following Inactivity in password-auth
Logo
2

Rule

Severity: Medium
Set Account Expiration Following Inactivity in system-auth
Logo
1

Rule

Severity: Medium
Compliance Guardian must provide automated mechanisms for supporting account management functions.
Logo
1

Rule

Severity: Medium
The application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.
Logo
1

Rule

Severity: Medium
The Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The HP FlexFabric Switch must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
Logo
1

Rule

Severity: Low
Nutanix AOS must be configured to disable user accounts after the password expires.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged  using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: Medium
The UEM server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
The macOS system must disable accounts after 35 days of inactivity.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
CA-ACF2 userids found inactive for more than 35 days must be suspended.
Logo
1

Rule

Severity: Medium
ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.
Logo
1

Rule

Severity: Medium
The CA-TSS INACTIVE Control Option must be properly set.
Logo
1

Rule

Severity: Medium
The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
Logo
6

Rule

Severity: Low
Unused accounts must be disabled or removed from the system after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
Outdated or unused accounts must be removed from the system or disabled.
Logo
3

Rule

Severity: Medium
Windows Server 2019 outdated or unused accounts must be removed or disabled.
Logo
3

Rule

Severity: Medium
Windows Server 2022 outdated or unused accounts must be removed or disabled.
Logo
2

Rule

Severity: Medium
The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
Logo
2

Rule

Severity: Medium
The OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
Logo
2

Rule

Severity: Medium
The OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
Logo
2

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Medium
The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
Logo
2

Rule

Severity: Medium
RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
Logo
4

Rule

Severity: Medium
The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
Logo
2

Rule

Severity: Medium
RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
User accounts must be locked after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The VMM must disable local account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
4

Rule

Severity: Medium
The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
Logo
1

Rule

Severity: Medium
The Photon operating system must disable new accounts immediately upon password expiration.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: Medium
SLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules