Reference: CMMC 2.0
Level Introduced: 2
Title: Least Privilege
Employ the principle of least privilege, including for specific security functions and privileged accounts.
You should apply the principle of least privilege to all users and processes on all systems. This means you assign the fewest permissions necessary for the user or process to accomplish their business function. Also, you:
• restrict user access to only the machines and information needed to fulfill job responsibilities; and
• limit what system configuration settings users can change, only allowing individuals with a business need to change them.
As the IT administrator for your organization, you create accounts. You apply the fewest privileges necessary for the user or process to complete their task. This means you assign everyone a basic user role. This prevents a user from modifying system configurations. You also assign privileged access only to users and processes that need it, such as IT staff.