>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.5.6Identification and Authentication - Derived

Derived Requirement

>Control Description

Disable identifiers after a defined period of inactivity.

>Discussion

Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.

>Cross-Framework Mappings

CMMC

IA.L2-3.5.6
Compare

SCF

IAC-15.3
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address identification and authentication - derived for CUI systems?
  • Who is accountable for implementing and maintaining identification and authentication - derived controls?
  • How frequently are identification and authentication - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with identification and authentication - derived requirements?
  • How are exceptions to identification and authentication - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce identification and authentication - derived in your CUI environment?
  • How are identification and authentication - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support identification and authentication - derived compliance?
  • How do you validate that identification and authentication - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary identification and authentication - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves identification and authentication - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how identification and authentication - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing identification and authentication - derived compliance?
  • Can you show evidence of a recent review or assessment of identification and authentication - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate identification and authentication - derived compliance?

Ask AI

Configure your API key to use AI features.