NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(3)Disable Accounts

Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for {{ insert: param, ac-02.03_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.

Practitioner Notes

Stale accounts are an attacker's best friend. This control requires you to disable accounts quickly when they expire, when the person leaves, when they violate policy, or when they have been sitting unused for too long.

Example 1: Configure the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" and pair it with a PowerShell script that disables any AD account with no logon in 35 days. Run it as a nightly scheduled task.

Example 2: In M365, navigate to Azure AD → Security → Conditional Access and create a policy that blocks sign-ins for accounts flagged as inactive by Identity Protection. Set the inactivity threshold to 30 days in your tenant settings. Combine this with an alert to IT when an account is blocked.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management