Requirement text: SC.3.181: Separate user functionality from system management functionality.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
System management functionality includes functions necessary to administer databases,
network components, workstations, or servers, and typically requires privileged user access.
The separation of user functionality from system management functionality is physical or
logical. Organizations can implement separation of system management functionality from
user functionality by using different computers, different central processing units, different
instances of operating systems, or different network addresses; virtualization techniques; or
combinations of these or other methods, as appropriate. This type of separation includes
web administrative interfaces that use separate authentication methods for users of any
other system resources. Separation of system and user functionality may include isolating
administrative interfaces on different domains and with additional access controls.
CMMC CLARIFICATION
Prevent user functionality and services from accessing system management functionality on
IT components, e.g., databases, network components, workstations, servers. This reduces
the attack surface to those critical interfaces by limiting who can access them and how they
can be accessed. This can be achieved through both logical and physical methods using
computers, CPUs, operating system, network addresses or a combination of these methods.
By separating the user functionality from system management functionality, the
administrator or privileged functions are not available to the general user.
The intent of this practice is to ensure:
• general users are not permitted to perform system administration functions; and
• system administrators only perform system administration functions from their
privileged account.
This can be accomplished using separation like VLANs or logical separation using strong
access control methods.
Example 1
You are an IT administrator responsible for preventing access to information system
management functions for your organization. Your company has a policy stating that system
management functionality must be separated from user functionality.
To comply with the policy, you provide physical protection by segregating certain functions
to separate servers and connect those servers to their own sub-net network. You limit access
to the separate servers so only approved system administrators can access them. They use
special admin accounts with a different username from their normal accounts to login to
these servers.
Example 2
You are an IT administrator responsible for preventing access to information system
management functions for your organization. Your company has a policy stating that system
management functionality must be separated from user functionality.
You login to the servers using a standard account to perform your daily work. Occasionally,
you need to perform administrative tasks. To perform those tasks, you enter a command
that elevates your rights to a system administrator. You enter your administrator
credentials, which are different from your daily user account, to execute the administrative
tasks. When completed, you go back to using your standard account.
References
• NIST SP 800-171 Rev 1 3.13.3
• CIS Controls v7.1 4.3
• CERT RMM v1.2 KIM:SG2.SP2
• NIST SP 800-53 Rev 4 SC-2
• AU ACSC Essential Eight