IA.L2-3.5.6 — Disable identifiers after a defined period of inactivity.
What this control requires
Disable identifiers after a defined period of inactivity.
Source: CMMC L2 v2.13 IA.L2-3.5.6 / NIST SP 800-171 R2 3.5.6 (official control text).
Why this matters
Dormant user accounts are an attacker's dream — forgotten credentials that still work, with no one monitoring them for suspicious activity. When employees leave, switch roles, or simply stop using certain systems, their identifiers remain active and exploitable. Adversaries scan for these orphaned accounts because they offer persistent access with minimal detection risk. By automatically disabling identifiers after a defined period of inactivity, the organization shrinks its attack surface and forces authentication pathways to remain current and monitored. This control directly reduces credential-based compromise and lateral movement risk.
What evidence assessors expect
Assessors typically look for: policy document, screenshot, CSV export, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on IA.L2-3.5.6.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →