CMMC 2.0 • LEVEL 1 • ACCESS CONTROL

AC.L1-3.1.1Account Management

Define the types of system accounts allowed and prohibited. Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria. Specify: Authorized users of the system, Group and role membership, and Access authorizations (i.e., privileges) for each account. Authorize access to the system based on: A valid access authorization and Intended system usage. Monitor the use of system accounts. Disable system accounts when: The accounts have expired, The accounts have been inactive for 35 daysCMMC/STIG, The accounts are no longer associated with a user or individual, The accounts are in violation of organizational policy, or Significant risks associated with individuals are discovered. Notify account managers and designated personnel or roles within: within 24 hoursCMMC/STIG when accounts are no longer required. within 8 business hours (same day)CMMC/STIG when users are terminated or transferred. within 24 hoursCMMC/STIG when system usage or the need-to-know changes for an individual. Require that users log out of the system after 15 minutesCMMC/STIG of expected inactivity or when the user leaves the workstation unattended or the session endsCMMC/STIG.

NIST 800-171 Mapping

NIST 800-53 Controls

AC-2AC-3AC-17

Assessment Objectives

  • system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.
  • system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.
  • system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.
  • system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.
  • system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.
  • system account types allowed are defined.
  • system account types prohibited are defined.
  • authorized users of the system are specified.
  • group and role memberships are specified.
  • access authorizations (i.e., privileges) for each account are specified.
  • access to the system is authorized based on a valid access authorization.
  • access to the system is authorized based on intended system usage.
  • the use of system accounts is monitored.
  • system accounts are disabled when the accounts have expired.
  • system accounts are disabled when the accounts have been inactive for 35 daysCMMC/STIG.
  • system accounts are disabled when the accounts are no longer associated with a user or individual.
  • system accounts are disabled when the accounts violate organizational policy.
  • account managers and designated personnel or roles are notified within within 24 hoursCMMC/STIG when accounts are no longer required.
  • account managers and designated personnel or roles are notified within within 8 business hours (same day)CMMC/STIG when users are terminated or transferred.
  • account managers and designated personnel or roles are notified within within 24 hoursCMMC/STIG when system usage or the need-to-know changes for an individual.
  • system accounts are disabled when significant risks associated with individuals are discovered.
  • users are required to log out of the system after 15 minutesCMMC/STIG of expected inactivity or when the following circumstances occur: the user leaves the workstation unattended or the session endsCMMC/STIG.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

AC.L1-3.1.2 Access Enforcement AC.L2-3.1.3 Information Flow Enforcement AC.L2-3.1.4 Separation of Duties AC.L2-3.1.5 Least Privilege