NIST 800-53 REV 5 • ACCESS CONTROL

AC-9(3)Notification of Account Changes

Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.

Practitioner Notes

Notify users when their account has been changed — password reset, permissions modified, or MFA device added. If they did not initiate the change, they should report it immediately.

Example 1: In Azure AD, configure Notifications under Security → Identity Protection to send users an email when their password is changed, a new MFA method is registered, or a suspicious sign-in is detected on their account.

Example 2: Use Microsoft Sentinel or a SIEM to create an alert rule that triggers when any user account's group membership changes (AD Event ID 4728, 4732, 4756). Send the notification to both the affected user and their manager so they can confirm the change was authorized.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management