03.01.01 — (a) Define the types of system accounts allowed and prohibited. (b) Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria. (c) Specify: (d) Authorize access to the system based on: (e) Monitor the use of system accounts. (f) Disable system accounts when: (g) Notify account managers and designated personnel or roles within: (h) Require that users log out of the system after {{ insert: param, A.03.01.01.ODP.05 }} of expected inactivity or when {{ insert: param, A.03.01.01.ODP.06 }}.

What this control requires

(a) Define the types of system accounts allowed and prohibited. (b) Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria. (c) Specify: (d) Authorize access to the system based on: (e) Monitor the use of system accounts. (f) Disable system accounts when: (g) Notify account managers and designated personnel or roles within: (h) Require that users log out of the system after {{ insert: param, A.03.01.01.ODP.05 }} of expected inactivity or when {{ insert: param, A.03.01.01.ODP.06 }}.

Source: NIST SP 800-171 R3 §03.01.01 (official control text).

Why this matters

Account management is the foundation of access control. Every user, service, and automated process that touches your systems does so through an account. Without disciplined account lifecycle management, organizations accumulate orphaned accounts from departed employees, over-privileged service accounts that attackers exploit, and shared credentials that destroy audit trails. This control ensures you know exactly who has access, why they have it, and when that access should end. It protects against insider threats, credential theft, and lateral movement by attackers who exploit forgotten or misconfigured accounts. The requirement to define allowed and prohibited account types forces deliberate decisions about risk—guest accounts, anonymous access, and shared credentials each carry specific threats that must be explicitly accepted or rejected.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls