AC-2 (02)—Account Management | Automated Temporary and Emergency Account Management

Moderate

High

>Control Description

Automatically ☑remove; disable temporary and emergency accounts after ⚙organization-defined time period for each type of account.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of AC-2(2) (Automated Temporary And Emergency Account Management)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring AC-2(2)?
•How frequently is the AC-2(2) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to AC-2(2)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce AC-2(2) requirements.
•What automated tools, systems, or technologies are deployed to implement AC-2(2)?
•How is AC-2(2) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce AC-2(2) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of AC-2(2)?
•What audit logs, records, reports, or monitoring data validate AC-2(2) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of AC-2(2) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate AC-2(2) compliance?

Ask AI

Configure your API key to use AI features.