NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(7)Review of User Privileges

Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

Practitioner Notes

Regularly review who has privileged access and whether they still need it. Privilege creep — where people accumulate access over time — is one of the most common security risks.

Example 1: Run a quarterly review of all Active Directory privileged groups (Domain Admins, Schema Admins, Enterprise Admins, Account Operators). Use Get-ADGroupMember -Recursive to find nested memberships that might be hiding unauthorized access. Document the review results and any remediation actions.

Example 2: In Azure AD, configure Access Reviews under Identity Governance for all directory roles. Set the review to recur every 90 days, with the role assignment owner as the reviewer. Enable auto-removal for assignments where no response is received within the review period.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management