Least Privilege

Least privilege is the security principle that every user, program, and system process should have only the minimum access rights needed to perform their specific job function — nothing more. If an employee doesn't need administrator access to do their work, they shouldn't have it. If a system doesn't need access to CUI data, it shouldn't be able to reach it.

Implementing least privilege means regularly reviewing access rights, removing unnecessary permissions, using standard user accounts for daily work (not admin accounts), and segmenting access to sensitive data. It limits the damage an attacker can do if they compromise any single account or system.

Why It Matters

Least privilege is a core requirement across CMMC and NIST frameworks. Many breaches escalate because compromised accounts had more access than needed. Enforcing least privilege is one of the most effective ways to limit the blast radius of a security incident.

Related Resources

CMMC: AC.L2-3.1.5
CMMC: AC.L2-3.1.6
CMMC: AC.L2-3.1.7
NIST 800-171: 3.1.5
NIST 800-171: 3.1.6
NIST 800-171: 3.1.7
NIST 800-53: AC-6
NIST 800-53: SA-8(14)