NIST 800-171 - Disable for Inactivity (3.5.6)

Overview:
Disable identifiers after a defined period of inactivity.

Action Items:
3.5.6[a]
Determine if: a period of inactivity after which an identifier is disabled is defined.

3.5.6[b]
Determine if: identifiers are disabled after the defined period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].

2
Interview: Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].

3
Test: Mechanisms supporting or implementing identifier management].

Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) procedures addressing identifier management
3) procedures addressing account management
4) system security plan
5) system design documentation
6) system configuration settings and associated documentation
7) list of system accounts
8) list of identifiers generated from physical access control devices
9) other relevant documents or records

Additional Guidance:
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.