When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. What CMMC practice does this violate?
CMMC practice AC.L2-3.1.6 – Non-Privileged Account Use requires organizations to "use non-privileged accounts or roles when performing non-security functions." Using privileged accounts for routine tasks like email and browsing violates this practice, increasing the risk of privilege misuse or compromise. AC.L2-3.1.7 (A) restricts privileged functions, AC.L2-3.1.4 (C) addresses separation of duties, and AC.L2-3.1.2 (D) limits access—none specifically target non-security use of privileged accounts. The CMMC guide emphasizes least privilege for non-security activities.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), AC.L2-3.1.6: "Require non-privileged accounts for non-security functions such as email and web browsing."
NIST SP 800-171A, 3.1.6: "Examine account usage to ensure privileged accounts are not used for non-security tasks."
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit