Access Control 3.1.6 (3.1.6)
Use non-privileged accounts or roles when accessing nonsecurity functions
Get Full GuidanceWhat Is This CMMC Control?
Organizations must ensure that users operate with standard, non-privileged accounts when performing routine business functions that do not require elevated permissions. Privileged accounts (like administrator or root accounts) should only be used when performing security-related or administrative tasks that specifically require those elevated permissions. This reduces the risk of accidental or malicious damage to systems and data by limiting the exposure window when operating with elevated privileges.
Control Intent
Minimize the attack surface and reduce the potential impact of compromised credentials by ensuring users operate with the minimum necessary privileges for their current task. This control prevents the unnecessary use of privileged accounts for routine operations, thereby limiting opportunities for privilege escalation, malware execution with elevated permissions, and accidental system modifications.
Who This Control Applies To
- •All users who have been granted privileged accounts or roles within the CUI environment
- •All systems and applications within the CMMC assessment boundary that support user authentication and authorization
- •Workstations, servers, network devices, and cloud services where users perform both privileged and non-privileged functions
- •Service accounts and automated processes that may operate with elevated privileges
Not Applicable When
- •A user has no privileged accounts or roles assigned and operates exclusively with standard user permissions
- •A system or application does not support the concept of privileged versus non-privileged accounts (though this is rare and may indicate a control gap)
- •The organization has no users with administrative or elevated access rights (highly unlikely in practice)
Key Objectives
- 1Users perform routine business functions using accounts with standard, non-privileged access rights.
- 2Privileged accounts and roles are reserved exclusively for administrative and security-related functions that require elevated permissions.
- 3The organization enforces separation between privileged and non-privileged account usage through technical or procedural controls.
Sample Self-Assessment Questions (Partial)
Do any of your users have administrator, root, or other privileged accounts on systems that process or store CUI?
Are privileged accounts used for everyday tasks like email, web browsing, or document editing?
Implementation Approaches (High-Level)
Separate Privileged and Non-Privileged Accounts
Each user who requires administrative access is provisioned with two distinct accounts: a standard user account for routine business functions and a separate privileged account used exclusively for administrative tasks.
Privileged Access Workstations (PAWs)
Administrative users perform all privileged functions from dedicated, hardened workstations that are separate from their standard workstations used for routine business functions. This physical or virtual separation enforces the control at the device level.
Role-Based Access Control with Privilege Escalation
Users operate in non-privileged roles by default and temporarily escalate to privileged roles only when performing specific administrative tasks. Role changes are logged and time-limited.
Just-In-Time (JIT) Privileged Access
Privileged access is granted on-demand for specific time periods and automatically revoked after the task is completed or the time window expires. Users have no standing privileged access.
Evidence & Assessment Notes
Expected Evidence
Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.
Plan of Action & Milestones (POA&M)
If separate privileged and non-privileged accounts do not exist, create a POA&M with milestones for provisioning separate accounts for all administrative users, starting with the highest-risk privileged accounts (e.g., domain administrators). If privileged accounts are being used for routine functions, create a POA&M to implement technical controls (e.g., application whitelisting, network restrictions) that prevent privileged accounts from accessing email, web browsers, and other non-administrative applications. If no monitoring exists to detect violations, create a POA&M to implement logging and alerting for privileged account usage, with milestones for deploying monitoring tools and establishing baseline acceptable use patterns. If users are not trained on the requirement, create a POA&M to develop and deliver training on privilege separation, with milestones for training completion and policy acknowledgment. If implementing Privileged Access Workstations, create a POA&M with milestones for procuring hardware, configuring and hardening PAWs, and transitioning administrative users to the new workflow. If implementing a privileged access management solution, create a POA&M with milestones for vendor selection, deployment, integration with existing systems, and user onboarding. Ensure POA&M milestones are realistic and account for the operational impact of changing how administrative users perform their work. Consider phased implementation starting with the most critical systems or highest-risk privileged accounts. Include compensating controls in the POA&M if full implementation will take significant time, such as increased monitoring or manual review of privileged account activity.
Frequently Asked Questions
What qualifies as a 'privileged account' under this control?
A privileged account is any account with elevated permissions beyond those of a standard user, including administrator, root, domain admin, or any role that can modify system configurations, access sensitive data, or perform security-related functions. This includes both user accounts and service accounts with elevated privileges.
Can a user have just one account if they use privilege escalation tools like sudo?
Yes, if the organization implements privilege escalation mechanisms (such as sudo on Linux or UAC on Windows) that require explicit authentication and logging for administrative tasks, a single account can satisfy this control. The key requirement is that the user operates in a non-privileged state by default and only escalates privileges when necessary for specific administrative functions.
Does this control apply to cloud administrator accounts?
Yes, this control applies to all privileged access including cloud platform administrators (AWS, Azure, GCP), SaaS application administrators, and any other elevated roles in cloud environments. Cloud administrators should use separate accounts or roles for routine cloud usage versus administrative infrastructure changes.
What are 'nonsecurity functions' that privileged accounts should not access?
Nonsecurity functions include routine business activities such as email, web browsing, document creation and editing, instant messaging, and general application use that does not require administrative privileges. Essentially, any task that a standard user can perform should not be done while using a privileged account.
How do we handle situations where administrators need to frequently switch between privileged and non-privileged tasks?
Organizations can implement privilege escalation mechanisms (sudo, UAC), Privileged Access Workstations, or just-in-time privileged access management solutions that make switching between privilege levels more seamless while maintaining the required separation. The specific approach depends on the organization's environment and risk tolerance.
What happens if we cannot immediately implement separate accounts for all privileged users?
If immediate implementation is not feasible, document the gap in a Plan of Action and Milestones (POA&M) with specific milestones for creating separate accounts, starting with the highest-risk privileged users. Implement compensating controls such as increased monitoring and logging of privileged account activity until full compliance is achieved. This is a Level 2 control, so assessors will expect a clear remediation plan with reasonable timelines.
How ConformatIQ Helps With CMMC Readiness
ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.
Ready to Get Full Guidance?
Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.
Request Full GuidanceInformation sourced from NIST SP 800-171 Rev. 2. See full disclaimer.