STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-2 (3) — Account Management

CCI-003628

Definition

Disable accounts when the accounts are no longer associated to a user.

Parent Control

AC-2 (3)Account ManagementAccess Control

Linked STIG Checks (43)

V-263528CAT IIAAA Services must be configured to disable accounts when the accounts are no longer associated to a user.AAA Services Security Requirements Guide V-279055CAT IColdFusion must be using an enterprise solution for authentication.Adobe ColdFusion Security Technical Implementation Guide V-274149CAT IIAmazon Linux 2023 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Amazon Linux 2023 Security Technical Implementation Guide V-268549CAT IIThe macOS system must disable accounts after 35 days of inactivity.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277157CAT IIThe macOS system must disable accounts after 35 days of inactivity.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-263549CAT IIThe application server must disable accounts when the accounts are no longer associated to a user.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-260547CAT IIUbuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270683CAT IIUbuntu 24.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263557CAT IIThe Central Log Server must disable accounts when the accounts are no longer associated to a user.Central Log Server Security Requirements Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-263586CAT IIThe container platform must disable accounts when the accounts are no longer associated to a user.Container Platform Security Requirements Guide V-263603CAT IIThe DBMS must disable accounts when the accounts are no longer associated to a user.Database Security Requirements Guide V-263624CAT IIThe DNS server implementation must disable accounts when the accounts are no longer associated to a user.Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-263650CAT IIThe operating system must disable accounts when the accounts are no longer associated to a user.General Purpose Operating System Security Requirements Guide V-223577CAT IIThe IBM z/OS system administrator (SA) must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.IBM z/OS ACF2 Security Technical Implementation Guide V-223761CAT IIThe IBM z/OS system administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.IBM z/OS RACF Security Technical Implementation Guide V-223798CAT IIIBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.IBM z/OS RACF Security Technical Implementation Guide V-224035CAT IIIBM z/OS system administrator (SA) must develop a procedure to remove or disable temporary user accounts after 72 hours.IBM z/OS TSS Security Technical Implementation Guide V-224036CAT IIIBM z/OS system administrator (SA) must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.IBM z/OS TSS Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263670CAT IIThe Mainframe Product must disable accounts when the accounts are no longer associated to a user.Mainframe Product Security Requirements Guide V-278003CAT IIOutdated or unused accounts on Windows Server 2025 must be removed or disabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-248703CAT IIThe OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-248704CAT IIThe OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.Oracle Linux 8 Security Technical Implementation Guide V-271849CAT IIOL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Oracle Linux 9 Security Technical Implementation Guide V-273835CAT IThe RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.RUCKUS ICX NDM Security Technical Implementation Guide V-281175CAT IIRHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258049CAT IIRHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-256093CAT IThe Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.Riverbed NetProfiler Security Technical Implementation Guide V-216344CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 SPARC Security Technical Implementation Guide V-216109CAT IIUser accounts must be locked after 35 days of inactivity.Solaris 11 X86 Security Technical Implementation Guide V-242237CAT IIThe TippingPoint SMS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252953CAT IITOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282502CAT IITOSS 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-264315CAT IIThe VMM must disable accounts when the accounts are no longer associated to a user.Virtual Machine Manager Security Requirements Guide V-264338CAT IIThe web server must disable accounts when the accounts are no longer associated to a user.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide