GRCWatch
Sign inStart free trial

IA.L2-3.5.6 Identifier Handling: Disable Inactive Accounts

CMMC Level 2 requires organizations to automatically disable user identifiers when they remain inactive for a defined period. This control reduces risk from abandoned or forgotten accounts that attackers could exploit. Proper implementation requires clear policies, technical controls, and regular monitoring.

What this means

Organizations must establish and enforce a process to disable user accounts and identifiers after they have been inactive for a set timeframe. This prevents dormant accounts from becoming security liabilities—forgotten credentials are easier targets for unauthorized access. The control applies across systems holding sensitive unclassified information (SUI) or controlled technical information (CTI).

How to comply

  1. 1.Define an inactivity threshold (e.g., 90 days of no login activity) in your access control policy
  2. 2.Configure automated account disablement tools within identity and access management (IAM) systems
  3. 3.Implement monitoring and alerting to track when accounts approach the inactivity deadline
  4. 4.Document the disablement process and criteria for re-enabling accounts if needed
  5. 5.Review and test the automated process quarterly to ensure it functions as intended
  6. 6.Maintain audit logs showing when and why identifiers were disabled

Evidence auditors look for

  • Access control policy document specifying inactivity period and disablement procedures
  • IAM system configuration screenshots showing automated disablement rules
  • Audit logs demonstrating accounts disabled due to inactivity over the past 12 months
  • Monitoring dashboard or reports showing account status and inactivity tracking
  • Documented testing results of the automated disablement process
  • Re-enablement request procedures and approval records

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates identifier inactivity monitoring and generates audit-ready reports showing which accounts were disabled and when, eliminating manual tracking and audit log review.

See how GRCWatch handles this control automatically

Start free trial

Related controls

IA.L2-3.5.1 Access ControlIA.L2-3.5.2 Identifier ManagementIA.L2-3.5.3 User Registration and DeregistrationIA.L2-3.5.4 Privilege ManagementAC.L2-3.1.1 Authorized Access ControlAU.L2-3.3.1 Audit Event Logging