NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(15)Networked Privileged Accesses

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Privileged access provides greater accessibility to system functions, including security functions. Adversaries attempt to gain privileged access to systems through remote access to cause adverse mission or business impacts, such as by exfiltrating information or bringing down a critical system capability. Routing networked, privileged access requests through a dedicated, managed interface further restricts privileged access for increased access control and auditing.

Practitioner Notes

Privileged network access — administrator remote sessions, management plane connections — should go through dedicated, secured network paths that are separate from regular user traffic.

Example 1: Set up a dedicated management VLAN for all admin access to servers, network devices, and security tools. RDP, SSH, and HTTPS management connections are only allowed from this management VLAN. Admin workstations have two network connections — one for regular work, one for management.

Example 2: Deploy a Privileged Access Management (PAM) solution like CyberArk or Azure AD PIM. All privileged sessions are brokered through the PAM gateway, which records the session, enforces MFA, and limits the duration of elevated access.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability