NIST 800-171 3.5.6: Disabling Identifiers After Inactivity Periods
Inactive user accounts are a significant security risk—they become stale, forgotten, and exploitable. NIST SP 800-171 control 3.5.6 requires organizations to automatically disable identifiers after a defined period of non-use. This control reduces the attack surface and ensures only active, monitored users maintain system access.
What this means
Control 3.5.6 mandates that organizations establish and enforce a policy to automatically disable user identifiers (accounts, login credentials, system access tokens) when those identifiers remain inactive for a predetermined time period. This prevents dormant accounts from becoming a backdoor for attackers and ensures your access control remains current and auditable. The 'defined period' should align with your organization's risk tolerance and operational needs—commonly 30, 60, or 90 days.
How to comply
- 1.Define an inactivity threshold (e.g., 60 days of no login or account use) that aligns with your security posture and business requirements.
- 2.Document the policy in your access control procedures, including the specific time period, which systems are covered, and who is responsible for enforcement.
- 3.Configure automated mechanisms (identity management system, directory service, or IAM platform) to flag and disable identifiers after the threshold is reached.
- 4.Establish a re-enablement process: users should be able to request account reactivation with proper identity verification and approval.
- 5.Log all identifier disablement actions for audit trails and compliance evidence.
- 6.Test the automated disablement process quarterly to ensure it functions correctly and captures all systems.
- 7.Communicate the policy to users so they understand the inactivity window and re-enablement steps.
Evidence auditors look for
- Access control policy document specifying inactivity periods for user accounts and identifiers.
- IAM system configuration screenshots showing automated disablement rules and time thresholds.
- Audit logs showing disabled accounts and the dates they were deactivated due to inactivity.
- Re-enablement request records demonstrating the process for reactivating disabled identifiers.
- System administrator procedures documenting how identifiers are monitored and disabled.
- Quarterly test results confirming automated disablement functionality across all covered systems.
- User communications or training materials explaining the inactivity policy.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's identity management module automatically tracks user inactivity, triggers disablement workflows, logs all actions, and generates audit-ready evidence—eliminating manual account reviews and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial