Reference: CMMC v2.13
Family: AC
Level Introduced: 2
Title: Least Privilege
Practice:
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Further Discussion:
The principle of least privilege applies to all users and processes on all systems, but it is critical to systems containing or accessing CUI. Least privilege:
• restricts user access to only the machines and information needed to fulfill job responsibilities; and
• limits what system configuration settings users can change, only allowing individuals with a business need to change them.
Example
You create accounts for an organization that processes CUI. By default, everyone is assigned a basic user role, which prevents a user from modifying system configurations. Privileged access is only assigned to users and processes that require it to carry out job functions, such as IT staff, and is very selectively granted [b,d].
Potential Assessment Considerations
• Are privileged accounts documented and is when they may be used defined [a]?
• Are users assigned privileged accounts to perform their job functions only when it is necessary [b]?
• Are necessary security functions identified (e.g., access control configuration, system configuration settings, or privileged account lists) that must be managed through the use of privileged accounts [c]?
• Is access to privileged functions and security information restricted to authorized employees [d]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.