CMMC Practice AC-L2-3.1.5, derived from NIST SP 800-171 Rev 2 requirement 3.1.5, mandates that organizations employ the principle of least privilege — granting users, processes, and devices only the minimum access rights needed to perform their assigned functions and no more. The practice requires organizations to first identify all privileged accounts (those with elevated rights such as domain admins, system admins, root accounts, and service accounts) and all security functions (such as audit management, patch deployment, firewall rule changes, and user provisioning). Once identified, access to these privileged accounts and security functions must be explicitly authorized, documented, and limited to personnel whose roles operationally require that elevation. Temporary elevation must be controlled and time-bounded rather than persistent. This practice directly addresses CUI exposure risk by ensuring that the blast radius of any single compromised credential or insider threat is minimized.
Where it stops · what it isn't
- —Does NOT govern general user access to CUI data directly — that is addressed by AC-L2-3.1.1 and AC-L2-3.1.2
- —Does NOT require technical enforcement of attribute-based or mandatory access controls — those are addressed in higher maturity tiers
- —Does NOT address physical access restrictions to server rooms or hardware — that falls under Physical Protection (PE) domain
- —Does NOT cover session termination or idle timeout controls — those are addressed in AC-L2-3.1.10 and AC-L2-3.1.11
- —Does NOT address network segmentation or boundary controls for privileged management traffic — those fall under System and Communications Protection (SC)
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.