NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(8)Dynamic Account Management

Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.

Practitioner Notes

Dynamic account management means the system creates or adjusts accounts automatically based on changing conditions — like an employee moving to a new department or a threat level increasing.

Example 1: Use Azure AD dynamic groups with rules like user.department -eq "Engineering" so that when HR updates someone's department in the HRIS, their group memberships (and therefore their access) update automatically. No tickets, no manual group changes.

Example 2: Implement SCIM provisioning between your identity provider and SaaS applications like Salesforce or ServiceNow. When an employee's role changes in Azure AD, SCIM automatically updates their permissions in the downstream application within minutes.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management