NIST 800-53 REV 5 • ACCESS CONTROL

AC-2(9)Restrictions on Use of Shared and Group Accounts

Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.

Practitioner Notes

Shared and group accounts — like a generic "admin" or "front desk" login — are risky because you cannot tell who actually did what. This control puts restrictions on when and how you use them.

Example 1: Write a policy that prohibits shared accounts except where technically required (like a service account for an application). For any approved shared account, require check-out through a PAM tool like CyberArk or BeyondTrust. The PAM tool logs who checked it out and when.

Example 2: For Windows service accounts, switch to Group Managed Service Accounts (gMSA) in Active Directory. These are system-managed accounts with automatic password rotation that eliminate the need for humans to know the credentials. Configure them with New-ADServiceAccount -Name svc_app -DNSHostName svc.domain.com.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management