Level 5 CMMC - CMMC Practices

AC.3.018  

Reference: CMMC 1.02

Family: AC

Level Introduced: 3

Practice:
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

CMMC Clarification:
Non-privileged users should not be given permissions other than those required to do their basic job function. Privileged users are granted additional permissions. They are employees given authorization to perform certain privileged functions involving the control, monitoring, or administration of the system including security functions. When these special privileged functions are performed, the activity should be captured in an audit log which can be used to identify abuse. Non-privileged employees should not be granted permission to perform any of the functions of a privileged user.

Example
As a system administrator for your organization you have security controls in place that prevent non-privileged users from performing privileged activities. However, you accidentally gave a standard user elevated system administrator privileges. The organization has implemented an endpoint detection and response solution that provides visibility into the use of privileged activities. This monitoring system logs the use of administrative privileges by an unapproved user allowing you to correct the error.

3.1.7

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Discussion:
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2.

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

Source: NIST Special Publication 800-171 Rev. 2

AC-6 (9)

LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS

Description:
The information system audits the execution of privileged functions.

Supplemental Guidance:
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2.

AC-6 (10)

LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS

Description:
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Supplemental Guidance:
Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02