NIST SP 800-171 & CMMC 2.0 3.1.5 Requirement:
Employ the principle of least privilege, including for specific security functions and privileged accounts.
NIST SP 800-171 & CMMC 2.0 3.1.5 Requirement Explanation:
The principle of least privilege applies to all users and processes on all systems. Least privilege restricts user access to only the devices and information they need to perform their job role. It also restricts their account privileges to limit who can make changes to settings on systems.
Example NIST SP 800-171 & CMMC 2.0 3.1.5 Implementation:
Only provide system users the privileges necessary to complete their work. Create user security groups representing the different job roles in your company. Assign the least amount of privileges necessary to the group. Reserve administrative privileges to a limited number of employees. This generally includes IT staff.
NIST SP 800-171 & CMMC 2.0 3.1.5 Scenario(s):
- Scenario 1:
Alice, a system administrator has decided to revoke local admin rights from the majority of her company's employees. This is because they do not need admin rights to complete their assigned work. Their work generally includes responding to emails and creating word documents. Because admin rights were revoked they can no longer change important settings on their workstations. They can not install software without Alice's permission either.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.