STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-2 (3) — Account Management

CCI-003627

Definition

Disable accounts when the accounts have expired.

Parent Control

AC-2 (3)Account ManagementAccess Control

Linked STIG Checks (63)

V-263527CAT IIAAA Services must be configured to disable accounts when the accounts have expired.AAA Services Security Requirements Guide V-274149CAT IIAmazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Amazon Linux 2023 Security Technical Implementation Guide V-268174CAT IINixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Anduril NixOS Security Technical Implementation Guide V-259552CAT IIThe macOS system must disable accounts after 35 days of inactivity.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268549CAT IIThe macOS system must disable accounts after 35 days of inactivity.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277157CAT IIThe macOS system must disable accounts after 35 days of inactivity.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222535CAT IIThe application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.Application Security and Development Security Technical Implementation Guide V-204750CAT IIThe application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-238330CAT IIThe Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260547CAT IIUbuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270683CAT IIUbuntu 24.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206466CAT IIThe Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.Central Log Server Security Requirements Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-233087CAT IIThe container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Container Platform Security Requirements Guide V-263602CAT IIThe DBMS must disable accounts when the accounts have expired.Database Security Requirements Guide V-263623CAT IIThe DNS server implementation must disable accounts when the accounts have expired.Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-203648CAT IIThe operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.General Purpose Operating System Security Requirements Guide V-223498CAT IICA-ACF2 userids found inactive for more than 35 days must be suspended.IBM z/OS ACF2 Security Technical Implementation Guide V-223584CAT IIACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.IBM z/OS ACF2 Security Technical Implementation Guide V-223723CAT IIThe IBM RACF INACTIVE SETROPTS value must be set to 35 days.IBM z/OS RACF Security Technical Implementation Guide V-223953CAT IICA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.IBM z/OS TSS Security Technical Implementation Guide V-223954CAT IIThe CA-TSS INACTIVE Control Option must be properly set.IBM z/OS TSS Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263669CAT IIThe Mainframe Product must disable accounts when the accounts have expired.Mainframe Product Security Requirements Guide V-276303CAT IIf DBMS authentication using passwords is employed, Azure SQL Managed Instance must enforce the DOD standards for password complexity and lifetime.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-270204CAT IIMicrosoft Entra ID must automatically disable accounts after a 35-day period of account inactivity.Microsoft Entra ID Security Technical Implementation Guide V-271307CAT IIf DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-253268CAT IIIUnused accounts must be disabled or removed from the system after 35 days of inactivity.Microsoft Windows 11 Security Technical Implementation Guide V-205707CAT IIWindows Server 2019 outdated or unused accounts must be removed or disabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254256CAT IIWindows Server 2022 outdated or unused accounts must be removed or disabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278003CAT IIOutdated or unused accounts on Windows Server 2025 must be removed or disabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279540CAT IINutanix OS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Nutanix Acropolis GPOS Security Technical Implementation Guide V-273188CAT IIOkta must automatically disable accounts after a 35-day period of account inactivity.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-270551CAT IIOracle Database must disable user accounts after 35 days of inactivity.Oracle Database 19c Security Technical Implementation Guide V-221689CAT IIThe Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.Oracle Linux 7 Security Technical Implementation Guide V-248703CAT IIThe OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-248704CAT IIThe OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-271849CAT IIOL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Oracle Linux 9 Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-273835CAT IThe RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.RUCKUS ICX NDM Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281175CAT IIRHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230373CAT IIRHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258049CAT IIRHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-256093CAT IThe Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.Riverbed NetProfiler Security Technical Implementation Guide V-217136CAT IIThe SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216344CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 SPARC Security Technical Implementation Guide V-216109CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 X86 Security Technical Implementation Guide V-242237CAT IIThe TippingPoint SMS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252953CAT IITOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282502CAT IITOSS 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-258909CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207395CAT IIThe VMM must disable local account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Virtual Machine Manager Security Requirements Guide V-264337CAT IIThe web server must disable accounts when the accounts have expired.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide