Reference: CMMC 2.11
Family: AC
Level Introduced: 2
Title: Least Privilege
Practice:
Employ the principle of least privilege, including for specific security functions and privileged accounts.
CMMC Clarification:
You should apply the principle of least privilege to all users and processes on all systems. This means you assign the fewest permissions necessary for the user or process to accomplish their business function. Also, you:
• restrict user access to only the machines and information needed to fulfill job responsibilities; and
• limit what system configuration settings users can change, only allowing individuals with a business need to change them.
Example
As the IT administrator for your organization, you create accounts. You apply the fewest privileges necessary for the user or process to complete their task. This means you assign everyone a basic user role. This prevents a user from modifying system configurations. You also assign privileged access only to users and processes that need it, such as IT staff.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (3)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.