03.01.01: Account Management

Control Familly: Access Control

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-46 [14]

  • SP 800-57-1 [15]

  • SP 800-57-2 [16]

  • SP 800-57-3 [17]

  • SP 800-77 [18]

  • SP 800-113 [19]

  • SP 800-114 [20]

  • SP 800-121 [21]

  • SP 800-162 [22]

  • SP 800-178 [23]

  • SP 800-192 [24]

  • IR 7874 [25]

  • IR 7966 [26]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.01.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • AC-02

  • AC-02(03)

  • AC-02(05)

  • AC-02(13)

a. Define the types of system accounts allowed and prohibited.

b. Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria.

c. Specify:

1. Authorized users of the system,

2. Group and role membership, and

3. Access authorizations (i.e., privileges) for each account.

d. Authorize access to the system based on:

1. A valid access authorization and

2. Intended system usage.

e. Monitor the use of system accounts.

f. Disable system accounts when:

1. The accounts have expired,

2. The accounts have been inactive for [Assignment: organization-defined time period],

3. The accounts are no longer associated with a user or individual,

4. The accounts are in violation of organizational policy, or

5. Significant risks associated with individuals are discovered.

g. Notify account managers and designated personnel or roles within:

1. [Assignment: organization-defined time period] when accounts are no longer required.

2. [Assignment: organization-defined time period] when users are terminated or transferred.

3. [Assignment: organization-defined time period] when system usage or the need-to-know changes for an individual.

h. Require that users log out of the system after [Assignment: organization-defined time period] of expected inactivity or when [Assignment: organization-defined circumstances].

Discussion:

This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g., privileged access, non-privileged access) are addressed in 03.01.02. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service. Users who require administrative privileges on system accounts receive additional scrutiny by personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary.

Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on the time of day, day of the week, and point of origin. When defining other system account attributes, organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements).

Users who pose a significant security risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among mission and business owners, system administrators, human resource managers, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by 03.01.10.

Assessment Methods and Objectives

Examine [SELECT FROM: access control policy and procedures; personnel termination or transfer policies and procedures; procedures for account management; list of active system accounts and the name of the individual associated with each account; system design documentation; list of conditions for group and role membership; system configuration settings; notifications of recent transfers, separations, or terminations of employees; list of recently disabled system accounts and the name of the individual associated with each account; list of user activities that pose significant organizational risks; access authorization records; account management compliance reviews; system monitoring and audit records; system security plan; system-generated list of accounts removed; system-generated list of emergency accounts disabled; system-generated list of disabled accounts; other relevant documents and records]

Interview [SELECT FROM: personnel with account management responsibilities; system administrators; personnel with information security responsibilities; system developers]

Test [SELECT FROM: processes for account management on the system; mechanisms for implementing account management]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.01.01.ODP[01]: the time period for account inactivity before disabling is defined.

A.03.01.01.ODP[02]: the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined.

A.03.01.01.ODP[03]: the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined.

A.03.01.01.ODP[04]: the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined.

A.03.01.01.ODP[05]: the time period of expected inactivity requiring users to log out of the system is defined.

A.03.01.01.ODP[06]: circumstances requiring users to log out of the system are defined.

A.03.01.01.a[01]: system account types allowed are defined.

A.03.01.01.a[02]: system account types prohibited are defined.

A.03.01.01.b[01]: system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[02]: system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[03]: system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[04]: system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.a[01]: system account types allowed are defined.

A.03.01.01.a[02]: system account types prohibited are defined.

A.03.01.01.b[01]: system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[02]: system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[03]: system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[04]: system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.b[05]: system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.

A.03.01.01.c.01: authorized users of the system are specified.

A.03.01.01.c.02: group and role memberships are specified.

A.03.01.01.c.03: access authorizations (i.e., privileges) for each account are specified.

A.03.01.01.d.01: access to the system is authorized based on a valid access authorization.

A.03.01.01.d.02: access to the system is authorized based on intended system usage.

A.03.01.01.e: the use of system accounts is monitored.

A.03.01.01.f.01: system accounts are disabled when the accounts have expired.

A.03.01.01.f.02: system accounts are disabled when the accounts have been inactive for <A.03.01.01.ODP[01]: time period>.

A.03.01.01.f.03: system accounts are disabled when the accounts are no longer associated with a user or individual.

A.03.01.01.f.04: system accounts are disabled when the accounts violate organizational policy.

A.03.01.01.f.05: system accounts are disabled when significant risks associated with individuals are discovered.

A.03.01.01.g.01: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[02]: time period> when accounts are no longer required.

A.03.01.01.g.02: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[03]: time period> when users are terminated or transferred.

A.03.01.01.g.03: account managers and designated personnel or roles are notified within <A.03.01.01.ODP[04]: time period> when system usage or the need-to-know changes for an individual.

A.03.01.01.h: users are required to log out of the system after <A.03.01.01.ODP[05]: time period> of expected inactivity or when the following circumstances occur: <A.03.01.01.ODP[06]: circumstances>.