03.01.01 Account Management

This policy outlines the procedures for managing system accounts to ensure the confidentiality, integrity, and availability of controlled unclassified information (CUI) on federal contract information (FCI) systems. It covers account creation, authorization, usage, monitoring, and deactivation to mitigate risks associated with unauthorized access and misuse.

• A.03.01.01.ODP[01]: the time period for account inactivity before disabling is defined.
• A.03.01.01.ODP[02]: the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined.
• A.03.01.01.ODP[03]: the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined.
• A.03.01.01.ODP[04]: the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined.
• A.03.01.01.ODP[05]: the time period of expected inactivity requiring users to log out of the system is defined.
• A.03.01.01.ODP[06]: circumstances requiring users to log out of the system are defined.
• A.03.01.01.a[01]: system account types allowed are defined.
• A.03.01.01.a[02]: system account types prohibited are defined.
• A.03.01.01.b[01]: system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.
• A.03.01.01.b[02]: system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.
• A.03.01.01.b[03]: system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.
• A.03.01.01.b[04]: system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.
• A.03.01.01.b[05]: system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.
• A.03.01.01.c.01: authorized users of the system are specified.
• A.03.01.01.c.02: group and role memberships are specified.
• A.03.01.01.c.03: access authorizations (i.e., privileges) for each account are specified.
• A.03.01.01.d.01: access to the system is authorized based on a valid access authorization.
• A.03.01.01.d.02: access to the system is authorized based on intended system usage.
• A.03.01.01.e: the use of system accounts is monitored.
• A.03.01.01.f.01: system accounts are disabled when the accounts have expired.
• A.03.01.01.f.02: system accounts are disabled when the accounts have been inactive for .
• A.03.01.01.f.03: system accounts are disabled when the accounts are no longer associated with a user or individual.
• A.03.01.01.f.04: system accounts are disabled when the accounts violate organizational policy.
• A.03.01.01.f.05: system accounts are disabled when significant risks associated with individuals are discovered.
• A.03.01.01.g.01: account managers and designated personnel or roles are notified within when accounts are no longer required.
• A.03.01.01.g.02: account managers and designated personnel or roles are notified within when users are terminated or transferred.
• A.03.01.01.g.03: account managers and designated personnel or roles are notified within when system usage or the need-to-know changes for an individual.
• A.03.01.01.h: users are required to log out of the system after of expected inactivity or when the following circumstances occur: .