IA-5(1) / A.9.3.1 NIST SP 800-53 Rev 5

Expiry alerts at 30 + 14 + 7 days

Demonstrate that automated expiry alerts are configured to notify responsible parties at 30, 14, and 7 days prior to expiration of critical security assets, and that these notifications are reliably delivered and actioned.

Description

What this control does

This control requires automated notifications to be triggered at 30, 14, and 7 days before the expiration of critical security assets such as digital certificates, credentials, licenses, contracts, or access privileges. The tiered alert schedule provides escalating opportunities for renewal or replacement actions, preventing unplanned service disruptions or security gaps. Implementation typically involves automated monitoring systems that track expiration dates and send alerts to designated owners or security teams at the specified intervals.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Expired TLS/SSL certificates causing service outages, broken trust chains, or browser warnings that erode user confidence
Lapsed privileged account credentials enabling unauthorized access through dormant or forgotten accounts
Expired software licenses or security tool subscriptions creating coverage gaps in protection capabilities
Overlooked contract renewals with third-party security vendors leading to sudden loss of critical services
Expired code-signing certificates preventing software updates from being trusted or deployed
Unrenewed API keys or tokens breaking integrations between security tools and leaving blind spots in monitoring
Forgotten temporary access grants persisting beyond intended duration due to lack of proactive expiry management

Testing procedure

How an auditor verifies this control

Obtain and review the inventory of all assets subject to expiration tracking, including certificates, credentials, licenses, and access grants.
Request configuration exports or screenshots from the alert management system showing the 30-day, 14-day, and 7-day notification thresholds.
Identify the notification methods (email, ticketing system, dashboard alerts) and designated recipients for each asset category.
Select a representative sample of assets with upcoming expirations within the next 60 days and verify alert configurations are active for each threshold.
Review historical alert logs from the past 90 days to confirm that notifications were actually sent at the configured intervals for assets that expired or were renewed.
Interview asset owners or security operations personnel to confirm they receive, acknowledge, and act upon the alerts in practice.
If available, execute a test scenario by creating a dummy asset with a near-term expiration date and verify all three alert tiers trigger correctly.
Cross-reference alert records with renewal or remediation tickets to validate that alerts prompted timely action before expiration.

Evidence required Configuration exports showing alert rules with 30-, 14-, and 7-day thresholds for each asset category; email server logs, ticketing system exports, or monitoring platform screenshots demonstrating actual alert delivery; asset inventory with expiration dates and alert recipient mappings; sample tickets or incident records showing remediation actions taken in response to alerts.

Pass criteria Automated alerts are configured for all in-scope assets at 30, 14, and 7 days before expiration, evidence confirms notifications were delivered at all three intervals for sampled assets, and documentation demonstrates that alerts prompted timely renewal or remediation actions.

Where this control is tested

Audit programs including this control

TLS / Certificate Hygiene

TLS configuration + cert lifecycle — every breach starts with somebody not noticing a cert expired or a…