Skip to main content

IAC-15: Account Management

IAC 10 — Critical Protect

Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.

Control Question: Does the organization proactively govern account management of individual, group, system, service, application, guest and temporary accounts?

General (44)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1
CSA CCM 4 IAM-03 IAM-16 IAM-16
Generally Accepted Privacy Principles (GAPP) 8.2.2
GovRAMP Core AC-02
GovRAMP Low AC-02
GovRAMP Low+ AC-02
GovRAMP Moderate AC-02
GovRAMP High AC-02
IMO Maritime Cyber Risk Management 3.5.3.1
ISO 27002 2022 5.15 5.16 5.18
ISO 27017 2015 9.2.5 9.2.6
MITRE ATT&CK 10 T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1025, T1036, T1036.003, T1036.005, T1041, T1047, T1048, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1053.007, T1055, T1055.008, T1056.003, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1072, T1078, T1078.001, T1078.002, T1078.003, T1078.004, T1087.004, T1098, T1098.001, T1098.002, T1098.003, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1134, T1134.001, T1134.002, T1134.003, T1136, T1136.001, T1136.002, T1136.003, T1185, T1190, T1197, T1210, T1212, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.007, T1222, T1222.001, T1222.002, T1484, T1489, T1495, T1505, T1505.002, T1505.003, T1525, T1528, T1530, T1537, T1538, T1542, T1542.001, T1542.003, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546.003, T1547.004, T1547.006, T1547.009, T1547.012, T1547.013, T1548, T1548.002, T1548.003, T1550, T1550.002, T1550.003, T1552, T1552.001, T1552.002, T1552.004, T1552.006, T1552.007, T1556, T1556.001, T1556.003, T1556.004, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1563, T1563.001, T1563.002, T1567, T1569, T1569.001, T1569.002, T1574, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1574.012, T1578, T1578.001, T1578.002, T1578.003, T1580, T1599, T1599.001, T1601, T1601.001, T1601.002, T1606, T1606.001, T1606.002, T1609, T1610, T1611, T1612, T1613, T1619
NIST 800-53 R4 AC-2
NIST 800-53 R4 (low) AC-2
NIST 800-53 R4 (moderate) AC-2
NIST 800-53 R4 (high) AC-2
NIST 800-53 R5 (source) AC-2
NIST 800-53B R5 (low) (source) AC-2
NIST 800-53B R5 (moderate) (source) AC-2
NIST 800-53B R5 (high) (source) AC-2
NIST 800-82 R3 LOW OT Overlay AC-2
NIST 800-82 R3 MODERATE OT Overlay AC-2
NIST 800-82 R3 HIGH OT Overlay AC-2
NIST 800-161 R1 AC-2
NIST 800-161 R1 C-SCRM Baseline AC-2
NIST 800-161 R1 Flow Down AC-2
NIST 800-161 R1 Level 2 AC-2
NIST 800-161 R1 Level 3 AC-2
NIST 800-171 R2 (source) 3.1.2
NIST 800-171A (source) 3.1.2[a] 3.1.2[b]
NIST 800-171 R3 (source) 03.01.01.a 03.01.01.b 03.01.01.c.01 03.01.01.c.02 03.01.01.d.01 03.01.01.d.02 03.01.01.e 03.01.01.f.01 03.01.01.f.03 03.01.01.f.04 03.01.01.f.05 03.01.01.g.01 03.01.01.g.02 03.01.01.g.03 03.01.02 03.01.05.b 03.01.05.c 03.01.05.d
NIST 800-171A R3 (source) A.03.01.01.ODP[01] A.03.01.01.a[01] A.03.01.01.a[02] A.03.01.01.c.01 A.03.01.01.e A.03.01.01.f.01 A.03.01.01.f.02 A.03.01.01.f.03 A.03.01.01.f.04 A.03.01.01.f.05 A.03.01.01.g.01 A.03.01.01.g.02 A.03.01.01.g.03 A.03.05.07.e
PCI DSS 4.0.1 (source) 8.2.4 8.3.10 8.6 8.6.1
PCI DSS 4.0.1 SAQ A-EP (source) 8.2.4 8.6.1
PCI DSS 4.0.1 SAQ C (source) 8.2.4 8.6.1
PCI DSS 4.0.1 SAQ C-VT (source) 8.2.4
PCI DSS 4.0.1 SAQ D Merchant (source) 8.2.4 8.6.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.2.4 8.3.10 8.6.1
UL 2900-1 2017 8.3
SCF CORE Fundamentals IAC-15
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-15
SCF CORE ESP Level 1 Foundational IAC-15
SCF CORE ESP Level 2 Critical Infrastructure IAC-15
SCF CORE ESP Level 3 Advanced Threats IAC-15
US (32)
Framework Mapping Values
US CERT RMM 1.2 AM:SG1.SP1 AM:SG1.SP2 AM:SG1.SP3 AM:SG1.SP4 ID:SG2.SP1 ID:SG2.SP2 ID:SG2.SP3 ID:SG2.SP4
US CJIS Security Policy 5.9.3 (source) AC-2
US CMMC 2.0 Level 1 (source) AC.L1-B.1.II
US CMMC 2.0 Level 1 AOs (source) AC.L1-B.1.II[a] AC.L1-B.1.II[b]
US CMMC 2.0 Level 2 (source) AC.L2-3.1.2
US CMMC 2.0 Level 3 (source) AC.L2-3.1.2
US CMS MARS-E 2.0 AC-2
US DHS ZTCF USR-01
US FAR 52.204-21 52.204-21(b)(1)(ii)
US FedRAMP R4 AC-2
US FedRAMP R4 (low) AC-2
US FedRAMP R4 (moderate) AC-2
US FedRAMP R4 (high) AC-2
US FedRAMP R4 (LI-SaaS) AC-2
US FedRAMP R5 (source) AC-2
US FedRAMP R5 (low) (source) AC-2
US FedRAMP R5 (moderate) (source) AC-2
US FedRAMP R5 (high) (source) AC-2
US FedRAMP R5 (LI-SaaS) (source) AC-2
US FFIEC D3.PC.Im.B.7 D3.PC.Am.B.6
US HIPAA Administrative Simplification 2013 (source) 164.312(a)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(a)(2)(ii)
US HIPAA HICP Small Practice 3.S.A
US HIPAA HICP Medium Practice 3.M.A 9.M.B
US HIPAA HICP Large Practice 3.M.A 9.M.B
US IRS 1075 AC-2
US NERC CIP 2024 (source) CIP-007-6 5.3
US NISPOM 2020 8-606
US - MA 201 CMR 17.00 17.04(1)(a)
US - TX DIR Control Standards 2.0 AC-2
US - TX TX-RAMP Level 1 AC-2
US - TX TX-RAMP Level 2 AC-2
EMEA (6)
Framework Mapping Values
EMEA EU NIS2 Annex 11.2.2(c) 11.5.2(c)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 6.2
EMEA Israel CDMO 1.0 4.3 4.4 4.6
EMEA Saudi Arabia CSCC-1 2019 2-2-1-7
EMEA Saudi Arabia OTCC-1 2022 2-2-1-10
EMEA UK DEFSTAN 05-138 2424
APAC (5)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0441 ISM-0443
APAC India SEBI CSCRF PR.AA.S1
APAC Japan ISMAP 9.2.5 9.2.6
APAC New Zealand HISF 2022 HHSP38 HML38 HSUP33 HSUP35
APAC New Zealand HISF Suppliers 2023 HSUP33 HSUP35
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.01.01.A 03.01.01.B 03.01.01.C.01 03.01.01.C.02 03.01.01.D.01 03.01.01.D.02 03.01.01.E 03.01.01.F.01 03.01.01.F.03 03.01.01.F.04 03.01.01.F.05 03.01.01.G.01 03.01.01.G.02 03.01.01.G.03 03.01.02 03.01.05.B 03.01.05.C 03.01.05.D

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.

Assessment Objectives

  1. IAC-15_A01 criteria for account creation, enabling, modification, disabling and removal are defined.
  2. IAC-15_A02 approvals are required by organization-defined personnel or roles for requests to create accounts.
  3. IAC-15_A03 accounts are created in accordance with organization-defined policy, procedures, prerequisites and criteria.
  4. IAC-15_A04 accounts are enabled in accordance with organization-defined policy, procedures, prerequisites and criteria.
  5. IAC-15_A05 accounts are modified in accordance with organization-defined policy, procedures, prerequisites and criteria.
  6. IAC-15_A06 accounts are disabled in accordance with organization-defined policy, procedures, prerequisites and criteria.
  7. IAC-15_A07 accounts are removed in accordance with organization-defined policy, procedures, prerequisites and criteria.
  8. IAC-15_A08 the use of accounts is monitored.
  9. IAC-15_A09 accounts are reviewed for compliance with account management requirements organization-defined frequency.
  10. IAC-15_A10 account management processes are aligned with personnel termination processes.
  11. IAC-15_A11 account management processes are aligned with personnel transfer processes.
  12. IAC-15_A12 account managers and organization-defined personnel or roles are notified within an organization-defined time period when accounts are no longer required.
  13. IAC-15_A13 account managers and organization-defined personnel or roles are notified within an organization-defined time period when users are terminated or transferred.
  14. IAC-15_A14 account managers and organization-defined personnel or roles are notified within an organization-defined time period when system usage or the need to know changes for an individual.
  15. IAC-15_A15 access to the system is authorized based on a valid access authorization.
  16. IAC-15_A16 access to the system is authorized based on intended system usage.
  17. IAC-15_A17 access to the system is authorized based on organization-defined attributes (as required).
  18. IAC-15_A18 the use of system accounts is monitored.
  19. IAC-15_A19 system accounts are disabled when the accounts have expired.
  20. IAC-15_A20 system accounts are disabled when the accounts have been inactive for <A.03.01.01.ODP[01]: time period>.
  21. IAC-15_A21 system accounts are disabled when the accounts are no longer associated with a user or individual.
  22. IAC-15_A22 system accounts are disabled when the accounts violate organizational policy.
  23. IAC-15_A23 system accounts are disabled when significant risks associated with individuals are discovered.
  24. IAC-15_A24 account types specifically prohibited for use within the system are defined and documented.
  25. IAC-15_A25 the types of transactions and functions that authorized users are permitted to execute are defined.
  26. IAC-15_A26 personnel or roles required to approve requests to create accounts is/are defined.
  27. IAC-15_A27 criteria for account creation, enabling, modification, disabling and removal are defined.
  28. IAC-15_A28 account types allowed for use within the system are defined and documented.
  29. IAC-15_A29 account managers are assigned.
  30. IAC-15_A30 system access is limited to the defined types of transactions and functions for authorized users.
  31. IAC-15_A31 prerequisites and criteria for group and role membership are defined.
  32. IAC-15_A32 attributes (as required) for each account are defined.
  33. IAC-15_A33 personnel or roles required to approve requests to create accounts is/are defined.
  34. IAC-15_A34 personnel or roles to be notified is/are defined.
  35. IAC-15_A35 time period within which to notify account managers when accounts are no longer required is defined.
  36. IAC-15_A36 time period within which to notify account managers when users are terminated or transferred is defined.
  37. IAC-15_A37 time period within which to notify account managers when system usage or the need to know changes for an individual is defined.
  38. IAC-15_A38 attributes needed to authorize system access (as required) are defined.
  39. IAC-15_A39 the frequency of account review is defined.
  40. IAC-15_A40 organization-defined prerequisites and criteria for group and role membership are required.
  41. IAC-15_A41 authorized users of the system are specified.
  42. IAC-15_A42 group and role membership are specified.
  43. IAC-15_A43 access authorizations (e.g., privileges) are specified for each account.
  44. IAC-15_A44 organization-defined attributes (as required) are specified for each account.
  45. IAC-15_A45 a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group.
  46. IAC-15_A46 a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group.
  47. IAC-15_A47 the time period for account inactivity before disabling is defined.
  48. IAC-15_A48 system account types allowed are defined.
  49. IAC-15_A49 system account types prohibited are defined.
  50. IAC-15_A50 account managers and designated personnel or roles are notified within <A.03.01.01.ODP[02]: time period> when accounts are no longer required.
  51. IAC-15_A51 account managers and designated personnel or roles are notified within <A.03.01.01.ODP[03]: time period> when users are terminated or transferred.
  52. IAC-15_A52 account managers and designated personnel or roles are notified within <A.03.01.01.ODP[04]: time period> when system usage or the need-to-know changes for an individual.
  53. IAC-15_A53 a new password is selected upon first use after account recovery.

Evidence Requirements

E-IAM-07 Account Management Compliance Reviews

Documented evidence of account management compliance reviews.

Identity & Access Management
E-IAM-08 Conditions for Group / Role Membership

Documented evidence of conditions for group and role membership.

Identity & Access Management

Technology Recommendations

Micro/Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Small

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Medium

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Large

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

Enterprise

  • Microsoft Active Directory (https://microsoft.com)
  • Microsoft Entra (https://microsoft.com)
  • AWS IAM (https://aws.amazon.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free