CMMC 1.0 Practice AC.2.007 Requirement:

Employ the principle of least privilege, including for specific security functions and privileged accounts.

CMMC 1.0 AC.2.007 Requirement Explanation:

The principal of least privilege means to restrict user accounts, devices, or services to only the privileges needed to perform their intended function. By limiting the privileges an account has you limit the security risks associated with the account. For example, an unprivileged account can not install software onto a system or modified it's settings as a result it poses less of a risk than a privileged account that can.

Example CMMC 1.0 AC.2.007 Implementation:

Only provide system users the privileges necessary to complete their work. Create user security groups representing the different job roles in your company. Assign the least amount of privileges necessary to the group allowing them to complete their work. Reserve administrative privileges to a limited number of employees. This generally includes IT staff. Revoke administrative rights from as many users as possible. Document any exceptions with a business need.

CMMC 1.0 AC.2.007 Scenario(s):

- Scenario 1:

Alice, a system administrator has decided to revoke local admin rights from the majority of her company's employees. This is because they do not need admin rights to complete their assigned work. Their work generally includes responding to emails and creating word documents. Because admin rights were revoked they can no longer change important settings on their workstations. They can not install software without Alice's permission either.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Learn More
HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
Learn More
FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
Learn More
ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
Learn More