>myctrl.tools
GitHub

AC-2(3)Disable Accounts

MODERATE
HIGH

>Control Description

Disable accounts within [Assignment: organization-defined time period] when the accounts: a. Have expired; b. Are no longer associated with a user or individual; c. Are in violation of organizational policy; or d. Have been inactive for [Assignment: organization-defined time period].

>Supplemental Guidance

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.