Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Separate user functionality from system management functionality.

CMMC Clarification

Prevent user functionality and services from accessing system management functionality on IT components, e.g., databases, network components, workstations, servers. This reduces the attack surface to those critical interfaces by limiting who can access them and how they can be accessed. This can be achieved through both logical and physical methods using computers, CPUs, operating system, network addresses or a combination of these methods. By separating the user functionality from system management functionality, the administrator or privileged functions are not available to the general user. The intent of this practice is to ensure: * general users are not permitted to perform system adminstation functions * system administrators only perform system administration functions from their privileged account. This can be accomplished using separation like VLANs or logical separation using strong access control methods. Example 1 You are an IT administrator responsible for preventing access to information system management functions for your organization. Your company has a policy stating that system management functionality must be separated from user functionality. To comply with the policy, you provide physical protection by segregating certain functions to separate servers and connect those servers to their own sub-net network. You limit access to the separate servers so only approved system administrators can access them. They use special admin accounts with a different username from their normal accounts to login to these servers.

800-171 Description

Separate user functionality from system management functionality.

800-171 Discussion

System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

Other Source Discussion


CIS Control References

CIS Controls v7.1 4.3

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-2

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.3

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

AU ACSC Essential Eight


Assessment Sub-Criteria 1

SC.3.181.[a] user functionality is identified;

Assessment Sub-Criteria 2

SC.3.181.[b] system management functionality is identified; and

Assessment Sub-Criteria 3

SC.3.181.[c] user functionality is separated from system management functionality.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15