Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Employ the principle of least privilege, including for specific security functions and privileged accounts.

CMMC Clarification

You should apply the principle of least privilege to all users and processes on all systems. This means you assign the fewest permissions necessary for the user or process to accomplish their business function. Also, you: * restrict user access to only the machines and information needed to fulfill job responsibilities * limit what system configuration settings users can change, only allowing individuals with a business need to change them. Example As the IT administrator for your organization, you create accounts. You apply the fewest privileges necessary for the user or process to complete their task. This means you assign everyone a basic user role. This prevents a user from modifying system configurations. You also assign privileged access only to users and processes that need it, such as IT staff.

800-171 Description

Employ the principle of least privilege, including for specific security functions and privileged accounts.

800-171 Discussion

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

Other Source Discussion


CIS Control References

CIS Controls v7.1 14.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-6, AC-6(1), AC-6(5)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.5

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference


Assessment Sub-Criteria 1

AC.2.007.[a] privileged accounts are identified;

Assessment Sub-Criteria 2

AC.2.007.[b] access to privileged accounts is authorized in accordance with the principle of least privilege;

Assessment Sub-Criteria 3

AC.2.007.[c] security functions are identified; and

Assessment Sub-Criteria 4

AC.2.007.[d] access to security functions is authorized in accordance with the principle of least privilege.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15