STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must automatically disable accounts after a 35 day period of account inactivity.

DISA Rule

SV-222411r508029_rule

Vulnerability Number

V-222411

Group Title

SRG-APP-000025

Rule Version

APSC-DV-000320

Severity

CAT III

CCI(s)

CCI-000017 - The information system automatically disables inactive accounts after an organization-defined time period.

Weight

Fix Recommendation

Design and configure the application to expire user accounts after 35 days of inactivity.

Check Contents

Examine the application documentation or interview the application representative to identify how the application users are managed.

Interview the application administrator and determine if the application is configured to utilize a centralized user management system like Active Directory (AD) for user management or if the application manages user accounts within the application.

If the application is configured to use an enterprise-based application user management capability that is STIG compliant, the requirement is not applicable.

If the application handles the management tasks for user accounts, access the applications user management utility.

Navigate to the screen where user accounts are configured to be disabled after 35 days of inactivity.

Confirm this setting is active.

If the application is not set to expire inactive accounts after 35 days, or if the application has no ability to expire accounts after 35 days of inactivity, this is a finding.

The application must automatically disable accounts after a 35 day period of account inactivity.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments