IA.L2-3.5.6

IA.L2-3.5.6: Identifier Deactivation

Disable identifiers when users, processes, or devices are no longer active.

Identifier deactivation is straightforward in principle but often neglected in practice. Your policy says “disable accounts after 90 days of inactivity.” Good. But do you actually have a process checking for inactive accounts? Do you run a report? Do you deactivate them? If not, the policy is fiction.

This ties into termination (IA.L2-3.5.5) but goes further. You remove accounts when people leave. But you also remove accounts when people stop using them, even if they’re still employed. An employee goes on permanent leave, takes a different role that doesn’t need the old system access, or just stops using a legacy application. Their account should be disabled. Inactive accounts also affect audit logging and compliance tracking covered in AU.L2-3.3.1 and AU.L2-3.3.2.

Family Identification and Authentication
Practice IA.L2-3.5.6
Difficulty Medium
Key evidence Inactivity policy, process documentation, logs showing deactivations, audit reports

What the assessor is actually evaluating

The assessor is checking two things. One: do you have a written policy that defines inactivity and triggers deactivation? Two: are you actually following it?

For most small contractors, 90 days is the industry standard for inactivity thresholds. Some use 60 days. The number matters less than the fact that you have one and you’re enforcing it. The assessor will ask how you monitor for inactive accounts. They want to hear that you have a process (automated or manual) that checks for accounts that haven’t logged in within your defined period, and you disable them.

If you say “we have a policy but we’ve never actually deactivated an account due to inactivity,” that’s a finding. The policy doesn’t count if you’re not executing it.

What a realistic SSP definition looks like

Example SSP Language: IA.L2-3.5.6

Practice IA.L2-3.5.6: Identifier Deactivation

Identifiers are deactivated when users are no longer active or when devices are no longer in use. Additionally, identifiers are disabled after a defined period of inactivity.

User Account Deactivation:

Accounts for terminated employees are disabled within one business day of separation per our Termination SOP documented in the Human Resources section of our SSP.

Accounts that remain inactive for 90 consecutive days are disabled. “Inactive” means no login activity on any system with CUI. The IT manager reviews Active Directory and application logs on a monthly basis to identify accounts with no login activity in the past 90 days. Identified accounts are marked for deactivation. The account owner or manager is notified and given the opportunity to re-activate if the account is still needed. After 5 business days without response or confirmation that the account is needed, the account is disabled.

In special cases where an account must remain active but is expected to be unused for extended periods (e.g., seasonal employees, employees on leave), the account remains active at the manager’s documented request and is reviewed separately.

Account deactivation is documented in a ticket showing the account disabled, the reason (inactivity, termination), the date disabled, and who performed the action. Disabled accounts are retained in a disabled state for [X period] per our retention policy, then removed.

Device Identifier Deactivation:

Devices no longer in use are decommissioned from the device inventory. Devices that have not connected to the network for 90 days are flagged for review. The network administrator confirms whether the device is still authorized. If no longer in use, the device is decommissioned and removed from the authorized device list.

Service Account Deactivation:

Service accounts that are no longer needed for any business function are disabled. The service account registry is reviewed quarterly by the IT manager. Service accounts no longer listed as required are disabled and archived.

This is specific about the 90-day threshold, the review process (monthly), and what happens next (notification, 5-day window, then deactivation). The assessor reads this and knows exactly what to ask for: your last inactivity review and the deactivations you made.

How to present your evidence

Evidence checklist
  • Inactivity policy defining the threshold (typically 90 days)
  • Documentation of your monitoring process and frequency
  • Example inactivity deactivation records showing accounts disabled
  • Active Directory or identity provider logs showing account state changes

You need these artifacts:

  1. Your inactivity policy. Written statement of your inactivity threshold (e.g., 90 days) and the process for monitoring and deactivating. This can be part of your Access Control policy or your Security Policy.

  2. Documentation of your monitoring process. What system generates the report? How often do you run it? How do you track accounts flagged for deactivation? A simple document describing this is enough.

  3. Example inactivity deactivation records. Run a report showing accounts that were recently disabled due to inactivity. Include the account name, last login date, deactivation date, and who performed the deactivation. Anonymize names if needed, but show the evidence of the process working.

  4. Active Directory or identity provider logs showing account state changes. If you have logs showing accounts being disabled, that’s good supporting evidence.

  5. Notification records. If your process includes notifying the account owner before deactivation, show an example of that notification (anonymized).

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "How do you monitor for inactive accounts?"
"We run a report monthly from Active Directory looking for accounts with no login activity in 90 days. We flag those accounts and give the manager 5 business days to confirm they're still needed. If not confirmed, we disable them. Here's our last report and the accounts we disabled as a result."
Q: "When was the last time you deactivated an account due to inactivity?"
Pull up a record from your inactivity deactivations. "[Account name] was inactive for 90 days. Last login was [date]. We notified the manager on [date]. No confirmation. We disabled it on [date]." Show the documentation. If you've never done this, that's a problem. It means your policy isn't being executed.
Q: "What if the policy exists but you haven't actually deactivated accounts?"
Don't be in this position. Before the assessment, run an inactivity report. Find accounts that should be deactivated and deactivate them. Get at least one documented example before you sit down with the assessor. This is a low-effort finding to prevent.

Common failures

Inactivity policy exists but you've never actually deactivated an account. Policy says 90 days. You've been running the company for three years. Nobody's ever been inactive for that long, or the policy is just a document that gets ignored. Either way, when the assessor asks about recent deactivations, you can't show them. That's a finding.
You don't have a defined inactivity threshold. No policy. Accounts just accumulate. Assessor asks when the last account was disabled due to inactivity and you don't have an answer. Fix this before the assessment.
No process to actually monitor for inactivity. You have a policy but no way to enforce it. You're not running reports. You're not tracking unused accounts. The policy is fiction.
You have a simple monthly inactivity review documented and you're executing it. Run a report, identify inactive accounts, notify managers, deactivate if confirmed unused. You have records of recent deactivations showing the process is real.
Your inactivity review is automated or integrated with your ticketing system. A monthly ticket gets created automatically. It pulls the inactive account list. You review it and close the ticket with deactivations documented. No manual process to forget.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP or MSSP

Your MSSP should be running the inactivity reports and doing the deactivations. They have access to all the logs and can identify unused accounts. You define the policy (90 days or whatever), and they execute it.

In the assessment, the MSSP should be able to pull up the inactivity report and show recent deactivations. They should be able to explain the process. If your MSSP is mature, they probably already monitor for this and have a documented process.

Your SSP documents the policy and the general process. The MSSP handles the technical implementation. Both should be aligned and documented.

Ask your MSSP: "When was the last time you deactivated an account due to inactivity and do you have documentation?" If they hesitate or say "we don't really track that," push back. They should have a process and records. Get them to show you recent examples before the assessment.

This guidance is based on assessment room experience and reflects one practitioner’s interpretation of CMMC Level 2 requirements. It is not legal or compliance advice. Always consult your compliance team and official CMMC documentation for final guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IA.L2-3.5.7: Password Complexity All Practices IA.L2-3.5.5: Identifier Management →