NIST 800-53 REV 5 • ACCESS CONTROL
AC-2(13) — Disable Accounts for High-risk Individuals
Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.
Supplemental Guidance
Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
Practitioner Notes
When HR or management identifies a high-risk individual — someone under investigation, on a performance plan, or giving notice — their system access needs to be disabled quickly. This is not about punishment; it is about protecting the organization during a heightened risk window.
Example 1: Establish an SOP with HR that triggers an immediate account disable in Active Directory within 1 hour of a formal risk designation. Use Disable-ADAccount -Identity username and document the action in your ticketing system with the HR case reference number.
Example 2: In Azure AD, use Conditional Access to create a named group called High Risk Users. Build a policy that blocks all access for members of this group. When HR flags someone, add them to this group immediately. This is faster than disabling the account and preserves the account state for forensic purposes.