NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.1 — Account Management
Define the types of system accounts allowed and prohibited. Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria. Specify: Authorized users of the system, Group and role membership, and Access authorizations (i.e., privileges) for each account. Authorize access to the system based on: A valid access authorization and Intended system usage. Monitor the use of system accounts. Disable system accounts when: The accounts have expired, The accounts have been inactive for organization-defined parameter, The accounts are no longer associated with a user or individual, The accounts are in violation of organizational policy, or Significant risks associated with individuals are discovered. Notify account managers and designated personnel or roles within: organization-defined parameter when accounts are no longer required. organization-defined parameter when users are terminated or transferred. organization-defined parameter when system usage or the need-to-know changes for an individual. Require that users log out of the system after organization-defined parameter of expected inactivity or when organization-defined parameter.
CMMC Practice Mapping
Assessment Objectives
- system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.
- system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.
- system account types allowed are defined.
- system account types prohibited are defined.
- authorized users of the system are specified.
- group and role memberships are specified.
- access authorizations (i.e., privileges) for each account are specified.
- access to the system is authorized based on a valid access authorization.
- access to the system is authorized based on intended system usage.
- the use of system accounts is monitored.
- system accounts are disabled when the accounts have expired.
- system accounts are disabled when the accounts have been inactive for organization-defined parameter.
- system accounts are disabled when the accounts are no longer associated with a user or individual.
- system accounts are disabled when the accounts violate organizational policy.
- account managers and designated personnel or roles are notified within organization-defined parameter when accounts are no longer required.
- account managers and designated personnel or roles are notified within organization-defined parameter when users are terminated or transferred.
- account managers and designated personnel or roles are notified within organization-defined parameter when system usage or the need-to-know changes for an individual.
- system accounts are disabled when significant risks associated with individuals are discovered.
- users are required to log out of the system after organization-defined parameter of expected inactivity or when the following circumstances occur: organization-defined parameter.
Practitioner Notes
This is the foundation of everything else in access control. You need to know exactly who has accounts on your systems, what those accounts can do, and have a reliable process for turning them off when someone leaves or changes roles.
Example 1: In Active Directory, set up a scheduled PowerShell script that queries Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate and flags any account inactive for 30+ days. Pipe the output to your IT manager's inbox weekly. For the disable policy, configure the GPO at Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → "Interactive logon: Machine inactivity limit" to auto-lock after 15 minutes.
Example 2: In Microsoft 365 Admin Center, go to Azure AD → Identity → Users → Per-user MFA and cross-reference your active user list quarterly. Set up an Access Review under Azure AD → Identity Governance → Access Reviews that automatically asks managers to confirm whether each team member still needs access every 90 days. Denied accounts are auto-disabled.