NIST SP 800-171 & CMMC 2.0 Control 3.13.3 Requirement:

Separate user functionality from system management functionality.

NIST SP 800-171 & CMMC 2.0 3.13.3 Requirement Explanation:

This requirement has two primary objectives. The first is to prevent employees who don't have system administration responsibilities from having admin rights. The second is requiring admins to use their admin accounts when performing system admin functions. Admins are to have a regular user account and an admin account.

Example NIST SP 800-171 & CMMC 2.0 3.13.3 Implementation:

Review which users have administrative privileges. Determine if those users require administrative privileges. If they don't, revoke their administrative privileges. For the users that do require administrative privileges, create them an unprivileged user account and an admin account. Document a policy requiring this. Only allow their admin accounts to carry out system management functions. This can be accomplished using user security groups. Only allow system administrators to access systems and servers that deal with your IT infrastructure. Examples include limiting access to active directory servers and limiting access to the admin interfaces of network devices.

NIST SP 800-171 & CMMC 2.0 3.13.3 Scenario(s):

- Scenario 1:

A system admin wants to log onto the active directory server to make some changes. They attempt to log in with their unprivileged user account but are unable to log in. They then try logging in with their admin account and are allowed in. As a result user functionality was separated from system management functionality.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.