AC.L2-3.1.5 β Employ the Principle of Least Privilege
Control Intent
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Control Response
The organization employs the principle of least privilege to ensure that users, processes, and system accounts are granted only the minimum access necessary to perform their assigned duties within the CMMC enclave.
Access privileges are assigned based on defined roles that align with job responsibilities and contract requirements involving Controlled Unclassified Information (CUI). Users are not granted permissions beyond those required to perform authorized functions.
Privileged access, including administrative or security-related functions, is restricted to designated accounts and granted only to individuals with a documented need. Privileged permissions are not assigned to standard user accounts, and elevated access is not used for routine operational activities.
Temporary or elevated access, when required, is approved in advance and limited in scope and duration. Access privileges are adjusted or revoked promptly when job responsibilities change or access is no longer required.
Objective Responses
AC.5.009 β Least privilege is enforced
Access permissions are limited to the minimum necessary to perform authorized functions and are enforced through role-based access controls and privilege restrictions.
Evidence References
Evidence supporting this control includes role definitions, permission configurations, privileged account listings, access approval records, and access review documentation.
Continuous Monitoring
Access privileges are reviewed at least quarterly and upon role or personnel changes to ensure continued adherence to the principle of least privilege.
Common Findings
- Users granted excessive permissions
- Privileged access used for routine tasks
- Access not reviewed after role changes