Least Privilege

NIST SP 800-171 Least Privilege Requirements

What does “Least Privilege” mean and what are the associated NIST SP 800-171 requirements?

Join our newsletter:

What is the Principle of “ Least Privilege”?

According to the NIST glossary, the principle of least privilege is "the principle that users and programs should only have the necessary privileges to complete their tasks.”
Here is an example: All employees are provided with accounts to Microsoft 365, however only employees who are system administrators are given administrative privileges on Microsoft 365.
Another example is revoking local administrator privileges from employees on their computers but making an exception for developers on their computers.
The goal behind the principle of least privilege is to ensure that only a few individuals have administrative privileges on an information system to prevent accidental and intentional harm. The less privileged accounts there are the lower the probability of a threat actor abusing an account’s privileges to create a security incident.
The principle of least privilege also applies to programs/applications. For example, you download a photo editing application onto your phone. The app asks for access to your photos, and you approve the request because it needs to access the photos for editing purposes. When the app asks for access to your microphone and location you deny the request. The app is now running with least privileges on your phone.

NIST SP 800-171 Least Privilege Requirement

NIST SP 800-171 security control 3.1.5 states “Employ the principle of least privilege, including for specific security functions and privileged accounts.”
To meet this requirement you need to ensure that:
  • The privileges granted to a user account are consistent with the account owner’s assigned duties.
  • The privileges granted to applications are kept to a minimum (e.g., using UAC on Windows computers)
  • Regularly review the privileges assign to user accounts
  • Leverage user security groups
  • -Leverage system capabilities such as user access control (UAC) for Windows on your systems
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.