AC.3.018

Control Acronym

AC

Family

Access Control

CMMC Level

3

800-171 Control #

3.1.7

CMMC Description

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

CMMC Clarification

Non-privileged users should not be given permissions other than those required to do their basic job functions. Privileged users are granted additional permissions. They are employees given authorization to perform certain privileged functions involving the control, monitoring, or administration of the system including security functions. When these special privileged functions are performed, the activity should be captured in an audit log which can be used to identify abuse. Non-privileged employees should not be granted permission to perform any of the functions of a privileged user. Example As a system administrator for your organization you have security controls in place that prevent non-privileged users from performing privileged activities. However, you accidentally gave a standard user elevated system administrator privileges. The organization has implemented an endpoint detection and response solution that provides visibility into the use of privileged activities. This monitoring system logs the use of administrative privileges by an unapproved user allowing you to correct the error.

800-171 Description

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

800-171 Discussion

Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non- privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-6(9), AC-6(10)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.7

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-4

CERT RMM Reference

CERT RMM v1.2 KIM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.3.018.[a] privileged functions are defined;

Assessment Sub-Criteria 2

AC.3.018.[b] non-privileged users are defined;

Assessment Sub-Criteria 3

AC.3.018.[c] non-privileged users are prevented from executing privileged functions; and

Assessment Sub-Criteria 4

AC.3.018.[d] the execution of privileged functions is captured in audit logs.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15