Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Use non-privileged accounts or roles when accessing nonsecurity functions.

CMMC Clarification

A user with a privileged account can perform more tasks and access more information than a person with a non-privileged account. This means that tasks performed when using the privileged account can have a greater impact on the system. You restrict administrator use of privileged accounts. Only those who perform a function that requires more access have a privileged account. This reduces the risk of unintentional harm to systems and data. Example As the IT administrator for your organization, you have two user accounts. One is a nonprivileged account, which you use when performing non-privileged duties. These tasks include sending or receiving emails. The other is a privileged account, which you use only when performing administrative functions. Examples include troubleshooting a device or setting up new user accounts.

800-171 Description

Use non-privileged accounts or roles when accessing nonsecurity functions.

800-171 Discussion

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Other Source Discussion


CIS Control References

CIS Controls v7.1 4.3, 4.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-6(2)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.6

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference


Assessment Sub-Criteria 1

AC.2.008.[a] nonsecurity functions are identified; and

Assessment Sub-Criteria 2

AC.2.008.[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15