CMMC Practice Requirement:

Separate user functionality from system management functionality.

CMMC Requirement Explanation:

This requirement has two primary objectives. The first is to prevent employees who don't have system administration responsibilities from having admin rights. The second is requiring admins to use their admin accounts when performing system admin functions. Admins are to have a regular user account and admin account.

Example CMMC Implementation:

Review which users have administrative privileges. Determine if those users require administrative privileges. If they don't, revoke their administrative privileges. For the users that do require administrative privileges, create them an unprivileged user account and an admin account. Document a policy requiring this. Only allow their admin accounts to carry out system management functions. This can be accomplished using user security groups. Only allow system administrators to access systems and servers that deal with your IT infrastructure. Examples include limiting access to active directory servers and limiting access to the admin interfaces of network devices.


- Scenario 1:

A system admin wants to log onto the active directory server to make some changes. They attempt to log in with their unprivileged user account but are unable to log in. They then try logging in with their admin account and are allowed in. As a result user functionality was separated from system management functionality.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance