CMMC 1.0 Practice AC.2.007 Requirement:
Employ the principle of least privilege, including for specific security functions and privileged accounts.
CMMC 1.0 AC.2.007 Requirement Explanation:
The principal of least privilege means to restrict user accounts, devices, or services to only the privileges needed to perform their intended function. By limiting the privileges an account has you limit the security risks associated with the account. For example, an unprivileged account can not install software onto a system or modified it's settings as a result it poses less of a risk than a privileged account that can.
Example CMMC 1.0 AC.2.007 Implementation:
Only provide system users the privileges necessary to complete their work. Create user security groups representing the different job roles in your company. Assign the least amount of privileges necessary to the group allowing them to complete their work. Reserve administrative privileges to a limited number of employees. This generally includes IT staff. Revoke administrative rights from as many users as possible. Document any exceptions with a business need.
CMMC 1.0 AC.2.007 Scenario(s):
- Scenario 1:
Alice, a system administrator has decided to revoke local admin rights from the majority of her company's employees. This is because they do not need admin rights to complete their assigned work. Their work generally includes responding to emails and creating word documents. Because admin rights were revoked they can no longer change important settings on their workstations. They can not install software without Alice's permission either.
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Compliance Accelerator
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Quantum Assessor
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.