AC.L2-3.1.5: Employing Least Privilege Access Controls
Least privilege is a foundational security principle that limits user access to only the minimum resources needed to perform their job. Under CMMC Level 2, you must enforce this principle across all accounts and systems, including administrative and privileged roles. Without proper implementation, overprovisioned access becomes a critical vulnerability in your security posture.
What this means
This control requires your organization to restrict user permissions to the absolute minimum necessary for job functions. This applies to regular users, system administrators, and service accounts. By limiting access rights, you reduce the attack surface and minimize damage if credentials are compromised. The principle extends to both data access and system functionality.
How to comply
- 1.Conduct a comprehensive access review across all systems and identify current user permissions
- 2.Define role-based access control (RBAC) policies aligned with job responsibilities
- 3.Remove unnecessary administrative rights from user accounts and separate privileged access
- 4.Implement privileged access management (PAM) tools for monitoring and controlling elevated accounts
- 5.Enforce multi-factor authentication (MFA) for all privileged accounts
- 6.Document access requirements and approval processes for elevated permissions
- 7.Perform quarterly access reviews to identify and revoke unnecessary permissions
- 8.Monitor privileged account activity and maintain audit logs
Evidence auditors look for
- Role-based access control (RBAC) matrix documenting job roles and assigned permissions
- User access inventory showing current permissions across systems
- Privileged account management policy and procedures
- Quarterly access review reports with sign-off from managers
- Multi-factor authentication (MFA) configuration records for privileged accounts
- Audit logs demonstrating privileged account usage and removals
- PAM tool reports showing privileged session monitoring and controls
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access reviews and RBAC monitoring, helping you maintain least privilege across your infrastructure while generating audit-ready evidence for AC.L2-3.1.5 compliance.
See how GRCWatch handles this control automatically
Start free trial