Requirement text: AC.2.007: Employ the principle of least privilege, including for specific security
functions and privileged accounts.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations employ the principle of least privilege for specific duties and authorized
accesses for users and processes. The principle of least privilege is applied with the goal of
authorized privileges no higher than necessary to accomplish required organizational
missions or business functions. Organizations consider the creation of additional processes,
roles, and system accounts as necessary, to achieve least privilege. Organizations also apply
least privilege to the development, implementation, and operation of organizational systems.
Security functions include establishing system accounts, setting events to be logged, setting
intrusion detection parameters, and configuring access authorizations (i.e., permissions,
privileges).
Privileged accounts, including super user accounts, are typically described as system
administrator for various types of commercial off-the-shelf operating systems. Restricting
privileged accounts to specific personnel or roles prevents day-to-day users from having
access to privileged information or functions. Organizations may differentiate in the
application of this requirement between allowed privileges for local accounts and for domain
accounts provided organizations retain the ability to control system configurations for key
security parameters and as otherwise necessary to sufficiently mitigate risk.
CMMC CLARIFICATION
You should apply the principle of least privilege to all users and processes on all systems.
This means you assign the fewest permissions necessary for the user or process to
accomplish their business function. Also, you:
• restrict user access to only the machines and information needed to fulfill job
responsibilities; and
• limit what system configuration settings users can change, only allowing individuals
with a business need to change them.
Example
As the IT administrator for your organization, you create accounts. You apply the fewest
privileges necessary for the user or process to complete their task. This means you assign
everyone a basic user role. This prevents a user from modifying system configurations. You
also assign privileged access only to users and processes that need it, such as IT staff.
REFERENCES
• NIST SP 800-171 Rev 1 3.1.5
• CIS Controls v7.1 14.6
• NIST CSF v1.1 PR.AC-4
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-6, AC-6(1), AC-6(5)
• UK NCSC Cyber Essentials