Control statement
Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for {{ insert: param, ac-02.03_odp.02 }}.
Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.
(d) Requirement: The service provider defines the time period of inactivity for device identifiers.
Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-IAM-04 | Just-in-Time Authorization Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services. | Identity and Access Management |
| KSI-IAM-06 | Suspicious Activity Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity | Identity and Access Management |
| KSI-IAM-07 | Automated Account Management Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation. | Identity and Access Management |