NIST SP 800-171 Rev 2 requirement 3.5.6 mandates that organizations disable identifiers — user accounts, service accounts, and device identifiers — after a defined period of inactivity. The organization must first establish a documented inactivity threshold (e.g., 35 days of no logon activity) and then enforce that threshold through technical or administrative controls that disable, not merely lock, the identifier. Disabling differs from deletion: the account record is retained for audit purposes but the identifier can no longer be used to authenticate. This practice applies to all identifiers within the scope of the CUI environment, including privileged accounts, standard user accounts, shared service accounts, and device credentials. The requirement is grounded in the principle of least privilege and ensures that stale identities do not persist as latent access pathways.
Where it stops · what it isn't
- —This practice does not govern the deletion or permanent removal of identifiers — only their disabling after inactivity; deletion is a separate account management action.
- —This practice does not define authentication strength requirements or multi-factor authentication mandates — those are addressed under IA.L2-3.5.3.
- —This practice does not address session timeout or automatic lock after idle time during an active session — that is covered by AC.L2-3.1.10 (session lock).
- —This practice does not apply to system or application identifiers that are inherently active by design and never experience user-driven inactivity (e.g., continuously running automated pipeline service accounts may require compensating controls instead).
- —This practice does not dictate the specific inactivity period; the organization defines the threshold, though it must be reasonable and documented.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/identification-and-authentication