NIST 800-53 REV 5 • ACCESS CONTROL
AC-2(7) — Privileged User Accounts
Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }}; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when privileged role or attribute assignments are no longer appropriate.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
Practitioner Notes
Privileged accounts — admins, domain admins, root — need extra scrutiny. You need to track every privileged account, review them regularly, and make sure no one has admin rights they do not actually need.
Example 1: In Active Directory, run Get-ADGroupMember -Identity "Domain Admins" monthly and compare the list against your approved privileged access roster. Any name not on the approved list gets removed immediately. Document the review with a signed memo from your ISSM.
Example 2: Deploy Azure AD Privileged Identity Management (PIM) and configure all Global Admin and Exchange Admin roles as Eligible rather than Permanent. Users must request activation with a business justification and MFA. Set maximum activation to 8 hours. All activations are logged and reviewable.