Description
The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency, at least annually].\n
Supplemental Guidance
Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. Account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users information system usage or need-to-know/need-to-share changes.\n
Changes from Rev 4
Removes parameter for system account types Adds prerequisite and criteria parameter for group and role membership Adds access authorizations parameter for attributes (as required) for each account Adds parameters to notify account managers and organization-defined personnel or roles within time-period when accounts are no longer required; when users are terminated or transferred; and when system usage or need-to-know changes for an individual Adds control text with a new parameter requiring authorize access to the system based on a valid access authorization, intended system usage; and attributes (as required) Adds control text requiring alignment of account management processes with personnel termination and transfer processes Incorporates withdrawn control AC-2(10)
Enhancements
\n