CMMC 2.0 • LEVEL 2 • ACCESS CONTROL

AC.L2-3.1.5Least Privilege

Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. Authorize access to quarterly (every 90 days)CMMC/STIG and the System Owner or Information System Security Manager (ISSM)CMMC/STIG. Review the privileges assigned to roles or classes of users system administration, security administration, audit log access, account management, and configuration management functionsCMMC/STIG to validate the need for such privileges. Reassign or remove privileges, as necessary.

NIST 800-171 Mapping

NIST 800-53 Controls

AC-6AC-6(1)AC-6(5)

Assessment Objectives

  • system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks.
  • access to quarterly (every 90 days)CMMC/STIG is authorized.
  • access to the System Owner or Information System Security Manager (ISSM)CMMC/STIG is authorized.
  • the privileges assigned to roles or classes of users are reviewed system administration, security administration, audit log access, account management, and configuration management functionsCMMC/STIG to validate the need for such privileges.
  • privileges are reassigned or removed, as necessary.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

AC.L1-3.1.1 Account Management AC.L1-3.1.2 Access Enforcement AC.L2-3.1.3 Information Flow Enforcement AC.L2-3.1.4 Separation of Duties