IA.L2-3.5.6 · NIST SP 800-171 3.5.6

Identifier Handling

Disable identifiers after a defined period of inactivity.

1 point if not metPOA&M eligible2 assessment objectives

What an assessor scores, the objectives

IA.L2-3.5.6 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.a period of inactivity after which an identifier is disabled is defined
  • b.identifiers are disabled after the defined period of inactivity

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For IA.L2-3.5.6, an assessor uses these:

Examine

Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records

Interview

Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers

Test

Mechanisms supporting or implementing identifier management

What it means, in context

Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.

Identifiers are uniquely associated with an individual, account, process, or device . An inactive identifier is one that has not been used for a defined extended period of time. For example, a user account may be needed for a certain time to allow for transition of business processes to existing or new staff. Once use of the identifier is no longer necessary, it should be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer needed yet still active could allow an adversary to exploit IT services. Example One of your responsibilities is to enforce your company ’s inactive account policy: any account that has not been used in the last 45 days must be disabled [a]. You enforce this by writing a script that runs once a day to check the last login date for each account and generates a report of the accounts with no login records for the last 45 days. After reviewing the report, you notify each inactive employee’s supervisor and disable the account [b]. Potential Assessment Considerations • Are user accounts or identifiers monitored for inactivity [b]?

What passing evidence looks like

The inactivity rule (identifiers disabled after the defined period of non use) and either an automated job or a dated review that actually disables them.

Common ways contractors fail IA.L2-3.5.6

  • !Define the period (90 days is common) then show one enforcement instance. A last sign in report with the stale accounts already disabled is the clean proof.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove IA.L2-3.5.6, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

IA.L2-3.5.6 questions, answered

How many points is CMMC requirement IA.L2-3.5.6 worth?+

IA.L2-3.5.6 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can IA.L2-3.5.6 be placed on a POA&M?+

Yes. A gap on IA.L2-3.5.6 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does IA.L2-3.5.6 belong to?+

IA.L2-3.5.6 is in the Identification & Authentication (IA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.5.6