NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.1 — Account Management
Define the types of system accounts allowed and prohibited. Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria. Specify: Authorized users of the system, Group and role membership, and Access authorizations (i.e., privileges) for each account. Authorize access to the system based on: A valid access authorization and Intended system usage. Monitor the use of system accounts. Disable system accounts when: The accounts have expired, The accounts have been inactive for {{ insert: param, A.03.01.01.ODP.01 }}, The accounts are no longer associated with a user or individual, The accounts are in violation of organizational policy, or Significant risks associated with individuals are discovered. Notify account managers and designated personnel or roles within: {{ insert: param, A.03.01.01.ODP.02 }} when accounts are no longer required. {{ insert: param, A.03.01.01.ODP.03 }} when users are terminated or transferred. {{ insert: param, A.03.01.01.ODP.04 }} when system usage or the need-to-know changes for an individual. Require that users log out of the system after {{ insert: param, A.03.01.01.ODP.05 }} of expected inactivity or when {{ insert: param, A.03.01.01.ODP.06 }}.
CMMC Practice Mapping
Assessment Objectives
- system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.
- system account types allowed are defined.
- system account types prohibited are defined.
- authorized users of the system are specified.
- group and role memberships are specified.
- access authorizations (i.e., privileges) for each account are specified.
- access to the system is authorized based on a valid access authorization.
- access to the system is authorized based on intended system usage.
- the use of system accounts is monitored.
- system accounts are disabled when the accounts have expired.
- system accounts are disabled when the accounts have been inactive for {{ insert: param, A.03.01.01.ODP.01 }}.
- system accounts are disabled when the accounts are no longer associated with a user or individual.
- system accounts are disabled when the accounts violate organizational policy.
- account managers and designated personnel or roles are notified within {{ insert: param, A.03.01.01.ODP.02 }} when accounts are no longer required.
- account managers and designated personnel or roles are notified within {{ insert: param, A.03.01.01.ODP.03 }} when users are terminated or transferred.
- account managers and designated personnel or roles are notified within {{ insert: param, A.03.01.01.ODP.04 }} when system usage or the need-to-know changes for an individual.
- system accounts are disabled when significant risks associated with individuals are discovered.
- users are required to log out of the system after {{ insert: param, A.03.01.01.ODP.05 }} of expected inactivity or when the following circumstances occur: {{ insert: param, A.03.01.01.ODP.06 }}.
Practitioner Notes
This is the foundation of everything else in access control. You need to know exactly who has accounts on your systems, what those accounts can do, and have a reliable process for turning them off when someone leaves or changes roles.
Example 1: In Active Directory, set up a scheduled PowerShell script that queries Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate and flags any account inactive for 30+ days. Pipe the output to your IT manager's inbox weekly. For the disable policy, configure the GPO at Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" to auto-lock after 15 minutes.
Example 2: In Microsoft 365 Admin Center, go to Azure AD → Identity → Users → Per-user MFA and cross-reference your active user list quarterly. Set up an Access Review under Azure AD → Identity Governance → Access Reviews that automatically asks managers to confirm whether each team member still needs access every 90 days. Denied accounts are auto-disabled.