CIS Control 5: Account Management

DEEP DIVE

Focuses on identity and account management safeguards. Updating to establish a direct link to the primary CIS Critical Security Controls v8 document.

Updated 4/12/2026cis, controls, iam, account-management, v8

CIS Control 5: Account Management is a fundamental security practice within the CIS Critical Security Controls Version 8 framework. This control focuses on the processes and tools used to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.

While this control manages the lifecycle and existence of identities, the specific permissions and authorizations those identities possess are governed by CIS Control 6: Access Control Management. Together, these controls form the backbone of a robust Identity and Access Management (IAM) program.

Core Safeguards and Implementation

CIS Control 5 outlines six primary safeguards to properly identify, protect, and respond to account-based risks.

5.1 & 5.5: Establishing Account Inventories

Just as CIS Control 1: Inventory and Control of Enterprise Assets demands a strict accounting of hardware, Control 5 requires a strict inventory of accounts. This ensures all active identities can be traced back to authorized users or processes.

Account inventories are divided into two distinct categories, both requiring at least a quarterly review:

  • User and Administrator Accounts (5.1): The inventory must comprehensively list all standard and elevated identities. At a bare minimum, records must include the person’s name, username, start/stop dates, and department. When conducting recurring reviews, analysts should pay close attention to newly created accounts, validating their authorization.
  • Service Accounts (5.5): Non-human accounts often present unique risks due to hidden dependencies and shared credentials. A dedicated inventory of service accounts is required. At a minimum, this must track the department owner, the date of the last review, and the business purpose of the account.

Edge Case Note: Automated service accounts tied to legacy applications may lack native support for automated inventory tracking. In these scenarios, manual audits or compensating logging controls must be strictly maintained to fulfill the quarterly review requirement.

5.2: Credential Security and Passwords

All enterprise assets must utilize unique passwords. Password length and complexity requirements depend heavily on the presence of Multi-Factor Authentication (MFA):

  • Accounts using MFA: Passwords must be at least 8 characters in length.
  • Accounts not using MFA: Passwords must be at least 14 characters in length to compensate for the lack of a second factor.

Users should be trained to use approved password manager applications to securely generate and store credentials. Storing passwords in spreadsheets, plain text files, or unencrypted documents is strictly prohibited. Furthermore, MFA is strongly recommended for all remote access scenarios to mitigate brute-force and credential stuffing attacks.

5.3: Disabling Dormant Accounts

Abandoned or forgotten identities provide a quiet entry point for attackers. To reduce this attack surface, any dormant accounts must be deleted or disabled after a period of 45 days of inactivity, wherever the underlying system supports this configuration.

Practical Implementation: Security teams should automate this process via their primary directory service. However, exceptions (such as users on extended medical or parental leave) require a defined procedure. Instead of leaving these accounts active, they should be disabled at the 45-day mark and re-enabled upon the employee's documented return.

5.4: Restrict Administrator Privileges

To prevent the accidental or malicious execution of elevated commands, users requiring administrative access must be issued dedicated administrator accounts.

General computing activities—such as browsing the internet, checking email, or using productivity suites—must only be conducted from the user’s primary, non-privileged account. The base user account must not possess elevated privileges. If an administrator falls victim to a phishing attack or drive-by download while using their non-privileged account, the potential blast radius is significantly reduced.

5.6: Centralize Account Management

Identity sprawl leads to inconsistent security enforcement. Organizations must centralize account management through a unified directory or identity service. Utilizing Single Sign-On (SSO) is heavily encouraged, especially in environments with numerous software and cloud platforms, as tracked under CIS Control 2: Inventory and Control of Software Assets. SSO provides a convenient and secure user experience, drastically reducing password fatigue and simplifying the provisioning and de-provisioning processes.

Operational Best Practices

Beyond the strict definitions of the safeguards, CIS recommends supplementary practices to reinforce account security:

  • Session Management: Users must be automatically logged out of systems or applications after a defined period of inactivity.
  • Screen Locking: Personnel must be trained to lock their workstation screens whenever they step away from their devices. This minimizes the possibility of unauthorized physical access to an active session, an important defense-in-depth measure.
  • Continuous Monitoring: When reviewing logs, pay close attention to service accounts executing commands outside their defined "purpose" or administrator accounts logging in during anomalous hours. Active tracking of high-privilege identities bridges the gap between account management and active threat detection.