NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(2)Automated Temporary and Emergency Account Management

Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

Practitioner Notes

Temporary and emergency accounts are high-risk because people tend to forget about them. This control says those accounts must automatically expire or be removed — you cannot rely on someone remembering to turn them off.

Example 1: In Active Directory, always set the Account Expires field when creating temporary accounts. Use the PowerShell command Set-ADAccountExpiration -Identity tempuser -DateTime '03/31/2026'. Run a daily scheduled task that reports any expired but still-enabled accounts.

Example 2: In Azure AD, use Azure AD → Identity Governance → Entitlement Management to create access packages with automatic expiration. Set emergency contractor accounts to expire in 72 hours. The system sends a warning email 24 hours before expiration and auto-removes access when the clock runs out.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(3) Disable Accounts