NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(20)Privileged Users

Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.

Practitioner Notes

Apply heightened monitoring to privileged users (administrators, security staff) because their elevated access makes them higher-risk targets and potential insider threats.

Example 1: Enable enhanced auditing for all administrative accounts. Log every action they take — every command, every file accessed, every configuration change. Forward these logs to a SIEM instance that the admins being monitored cannot access or modify.

Example 2: Use Azure AD Privileged Identity Management (PIM) with session recording. When an admin activates a privileged role, their entire session is recorded. Require justification for each privilege activation and send notifications to security leadership.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status