CMMC 2.0 • LEVEL 2 • ACCESS CONTROL

AC.L2-3.1.6Least Privilege – Privileged Accounts

Restrict privileged accounts on the system to all administrative functions including system configuration changes, user account management, audit log access, software installation, and security tool managementCMMC/STIG.. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.

NIST 800-171 Mapping

NIST 800-53 Controls

AC-6(2)

Assessment Objectives

  • privileged accounts on the system are restricted to all administrative functions including system configuration changes, user account management, audit log access, software installation, and security tool managementCMMC/STIG.
  • users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

AC.L1-3.1.1 Account Management AC.L1-3.1.2 Access Enforcement AC.L2-3.1.3 Information Flow Enforcement AC.L2-3.1.4 Separation of Duties