Level 5 CMMC - CMMC Practices

AC.2.008  

Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Practice:
Use non-privileged accounts or roles when accessing nonsecurity functions.

CMMC Clarification:
A user with a privileged account can perform more tasks and access more information than a person with a non-privileged account. This means that tasks performed when using the privileged account can have a greater impact on the system. You restrict administrator use of privileged accounts. Only those who perform a function that requires more access have a privileged account. This reduces the risk of unintentional harm to systems and data.

Example
As the IT administrator for your organization, you have two user accounts. One is a non- privileged account, which you use when performing non-privileged duties. These tasks include sending or receiving emails. The other is a privileged account, which you use only when performing administrative functions. Examples include troubleshooting a device or setting up new user accounts.

3.1.6

Use non-privileged accounts or roles when accessing nonsecurity functions.

Discussion:
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Source: NIST Special Publication 800-171 Rev. 2

AC-6 (2)

LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS

Description:
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.

Supplemental Guidance:
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02