The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
30 minutes unless otherwise defined in formal organizational policy
DoD RMF TAG
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement.