CMMC Level 2
Control 3.5.6
Disable Identifiers After Inactivity
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Disable identifiers after a defined period of inactivity.
What This Means in Plain English
Accounts that have not been used for a defined period (typically 90 days) should be automatically disabled. Dormant accounts are prime targets for attackers since no one notices unauthorized use.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Active Directory automated account disabling after 90 days of inactivity via scheduled PowerShell script
- Microsoft Entra sign-in activity monitoring identifying inactive accounts
- Quarterly access review flagging inactive accounts for manager review and confirmation
- Automated notifications to managers 14 days before accounts are disabled due to inactivity
- ComplianceArmor reporting on account activity status across all systems
Assessment Guidance
Assessors will review the inactivity period definition, verify that automated disabling is configured and functioning, check for accounts inactive beyond the defined threshold, and review the process for reactivating disabled accounts.
Common Implementation Gaps
- No automated process to disable inactive accounts
- Inactive accounts remaining active indefinitely
- Inactivity period not defined in policy
- No monitoring of account last-login dates
- Service accounts exempt from inactivity policies without compensating controls
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-4(4) |
| PCI DSS | Req 8.1.4 - Remove/disable inactive user accounts within 90 days |
Need Help Implementing 3.5.6?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment