STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-4 — Identifier Management

CCI-000795

Definition

The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Parent Control

IA-4Identifier ManagementIdentification and Authentication

Linked STIG Checks (42)

V-279055CAT IColdFusion must be using an enterprise solution for authentication.Adobe ColdFusion Security Technical Implementation Guide V-222535CAT IIThe application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.Application Security and Development Security Technical Implementation Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256842CAT IICompliance Guardian must provide automated mechanisms for supporting account management functions.AvePoint Compliance Guardian Security Technical Implementation Guide V-219326CAT IIThe Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238330CAT IIThe Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260547CAT IIUbuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-269384CAT IIAlmaLinux OS 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-270910CAT IIDragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.Dragos Platform 2.x Security Technical Implementation Guide V-230166CAT IIThe HP FlexFabric Switch must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.HP FlexFabric Switch NDM Security Technical Implementation Guide V-252579CAT IIIBM Aspera Faspex must disable account identifiers after 35 days of inactivity.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-255800CAT IIThe MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-237919CAT IIThe IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-213529CAT IIJBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-220711CAT IIIUnused accounts must be disabled or removed from the system after 35 days of inactivity.Microsoft Windows 10 Security Technical Implementation Guide V-253268CAT IIIUnused accounts must be disabled or removed from the system after 35 days of inactivity.Microsoft Windows 11 Security Technical Implementation Guide V-224837CAT IIOutdated or unused accounts must be removed from the system or disabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205707CAT IIWindows Server 2019 outdated or unused accounts must be removed or disabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254256CAT IIWindows Server 2022 outdated or unused accounts must be removed or disabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254207CAT IIINutanix AOS must be configured to disable user accounts after the password expires.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-273188CAT IIOkta must automatically disable accounts after a 35-day period of account inactivity.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-221689CAT IIThe Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.Oracle Linux 7 Security Technical Implementation Guide V-248703CAT IIThe OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-248704CAT IIThe OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-204426CAT IIThe Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230373CAT IIRHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258049CAT IIRHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-261360CAT IISLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217136CAT IIThe SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216344CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 SPARC Security Technical Implementation Guide V-216109CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 X86 Security Technical Implementation Guide V-252953CAT IITOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-240461CAT IIThe SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239555CAT IIThe SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256511CAT IIThe Photon operating system must disable new accounts immediately upon password expiration.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256323CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258909CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-93457CAT IIWindows Server 2019 outdated or unused accounts must be removed or disabled.Windows Server 2019 Security Technical Implementation Guide