📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / AC

AC-2 Account Management

Family AC
Baselines moderate
Mapped KSIs 5

Control statement

a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
    b. Assign account managers;
    c. Require {{ insert: param, ac-02_odp.01 }} for group and role membership;
    d. Specify:
        1. Authorized users of the system;
        2. Group and role membership; and
        3. Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;
    e. Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;
    f. Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};
    g. Monitor the use of accounts;
    h. Notify account managers and {{ insert: param, ac-02_odp.05 }} within:
        1.  {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;
        2.  {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and
        3.  {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;
    i. Authorize access to the system based on:
        1. A valid access authorization;
        2. Intended system usage; and
        3.  {{ insert: param, ac-02_odp.09 }};
    j. Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};
    k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
    l. Align account management processes with personnel termination and transfer processes.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-IAM-01Phishing-Resistant MFA
Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.
Identity and Access Management
KSI-IAM-02Passwordless Authentication
Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA.
Identity and Access Management
KSI-IAM-03Non-User Accounts
Enforce appropriately secure authentication methods for non-user accounts and services.
Identity and Access Management
KSI-IAM-04Just-in-Time Authorization
Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.
Identity and Access Management
KSI-IAM-06Suspicious Activity
Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity
Identity and Access Management