NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(6)Privileged Access by Non-organizational Users

Prohibit privileged access to the system by non-organizational users.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization.

Practitioner Notes

Non-organizational users — contractors, vendors, partners — should never have privileged access to your systems. If they need elevated access for a specific task, it should be time-limited, monitored, and approved.

Example 1: Create a policy that explicitly prohibits adding contractor accounts to Domain Admins, Enterprise Admins, or any Tier 0 security group. If a contractor needs admin-level work done, have an employee perform it or use a PAM tool that records the entire session.

Example 2: In Azure AD, use B2B Guest Access for external users and configure a Conditional Access policy that blocks guest accounts from accessing admin portals entirely. Under Conditional Access → Users → Include → Guest or external users, target all admin apps and set the policy to Block.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management