Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY AC

AC.L2-3.1.5

Least Privilege

Requirement

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Further discussion

The principle of least privilege applies to all users and processes on all systems, but it is critical to systems containing or accessing CUI. Least privilege: • restricts user access to only the machines and information needed to fulfill job responsibilities; and • limits what system configuration settings users can change, only allowing individuals with a business need to change them. Example You create accounts for an organization that processes CUI. By default, everyone is assigned a basic user role, which prevents a user from modifying system configurations. Privileged access is only assigned to users and processes that require it to carry out job functions, such as IT staff, and is very selectively granted [b,d]. Potential Assessment Considerations • Are privileged accounts documented and is when they may be used defined [a]? • Are users assigned privileged accounts to perform their job functions only when it is necessary [b]? • Are necessary security functions identified (e.g., access control configuration, system configuration settings, or privileged account lists) that must be managed through the use of privileged accounts [c]? • Is access to privileged functions and security information restricted to authorized employees [d]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/