CMMC AC.2.008 - Use Non-Privilege Accounts

CMMC AC.2.008 - Use Non-Privilege Accounts

Requirement text: AC.2.008: Use non-privileged accounts or roles when accessing non-security
functions.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 
This requirement limits exposure when operating from within privileged accounts or roles.
The inclusion of roles addresses situations where organizations implement access control
policies such as role-based access control and where a change of role provides the same
degree of assurance in the change of access authorizations for the user and all processes
acting on behalf of the user as would be provided by a change between a privileged and non-
privileged account.

CMMC CLARIFICATION
A user with a privileged account can perform more tasks and access more information than
a person with a non-privileged account. This means that tasks performed when using the
privileged account can have a greater impact on the system. You restrict administrator use
of privileged accounts. Only those who perform a function that requires more access have a
privileged account. This reduces the risk of unintentional harm to systems and data.

Example
As the IT administrator for your organization, you have two user accounts. One is a non-
privileged account, which you use when performing non-privileged duties. These tasks
include sending or receiving emails. The other is a privileged account, which you use only
when performing administrative functions. Examples include troubleshooting a device or
setting up new user accounts.

References
​• NIST SP 800-171 Rev 1 3.1.6
• CIS Controls v7.1 4.3, 4.6
• NIST CSF v1.1 PR.AC-4
• NIST SP 800-53 Rev 4 AC-6(2)
• UK NCSC Cyber Essentials






    • Related Articles

    • CMMC AC.2.007 - Employ Least Privilege

      Requirement text: AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations employ the principle of least privilege for ...

    • CMMC AC.3.018 - Limit Privilege Functions

      Requirement text: AC.3.018: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.  DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Privileged functions include establishing system ...

    • CMMC IA.3.086 - Disable Inactive Accounts

      Requirement text: IA.3.086: Disable identifiers after a defined period of inactivity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC RM.5.152 - Use Exception Process for Non-Whitelisted Software

      Requirement text: RM.5.152: Utilize an exception process for non-whitelisted software that includes mitigation techniques. DISCUSSION FROM SOURCE: CMMC Whitelist technologies allow an organization to lock-down their environment in such a way that ...