NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.5 — Least Privilege
Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. Authorize access to {{ insert: param, A.03.01.05.ODP.01 }} and {{ insert: param, A.03.01.05.ODP.02 }}. Review the privileges assigned to roles or classes of users {{ insert: param, A.03.01.05.ODP.03 }} to validate the need for such privileges. Reassign or remove privileges, as necessary.
CMMC Practice Mapping
Assessment Objectives
- system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks.
- access to {{ insert: param, A.03.01.05.ODP.01 }} is authorized.
- access to {{ insert: param, A.03.01.05.ODP.02 }} is authorized.
- the privileges assigned to roles or classes of users are reviewed {{ insert: param, A.03.01.05.ODP.03 }} to validate the need for such privileges.
- privileges are reassigned or removed, as necessary.
Practitioner Notes
Least privilege means giving people only the access they need to do their job — nothing more. If an accountant doesn't need access to engineering drawings, they shouldn't have it, even if giving everyone access seems easier.
Example 1: In Active Directory, remove all users from the local Administrators group on their workstations. Configure the GPO at Computer Configuration → Preferences → Control Panel Settings → Local Users and Groups to enforce this across the domain. Users who truly need elevated privileges should be given a separate admin account.
Example 2: In SharePoint Online, go to Site Settings → Site Permissions and audit who has "Full Control" vs. "Edit" vs. "Read." Most users only need Edit or Read access to the sites relevant to their projects. Review these permissions quarterly with each site owner to remove stale access.