NIST SP 800-171 Rev 2 practice 3.13.3 requires organizations to separate user-facing functionality from system management functionality, preventing regular users from accessing administrative interfaces, management consoles, or privileged configuration mechanisms. This separation is typically achieved through logical or physical controls such as dedicated management networks, separate virtual LANs (VLANs), role-based access controls, and distinct administrative workstations. The practice addresses the risk that a compromised or malicious user account could be used to pivot into administrative interfaces and alter system configurations, escalate privileges, or disrupt operations. By maintaining clear boundaries between ordinary user activities and privileged management activities, organizations limit lateral movement and reduce the blast radius of a user-level compromise. This requirement is grounded in NIST SP 800-171 Rev 2 Section 3.13.3 and supports the broader System and Communications Protection domain objective of enforcing architectural security.
Where it stops · what it isn't
- —This practice does not govern the encryption of data in transit between users and systems — that is addressed by SC-L2-3.13.8.
- —This practice does not define the specific access control policies for who is authorized to perform system management — that falls under the Access Control domain (AC-L2-3.1.x).
- —This practice does not address network boundary protection between organizational networks and external networks, which is covered by SC-L2-3.13.1 and SC-L2-3.13.2.
- —This practice does not mandate specific technologies; it requires the outcome of separation, not a prescribed tool or architecture.
- —This practice does not cover the management of privileged accounts themselves — that is addressed under AC-L2-3.1.6 and related access control practices.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-communications-protection