The requirement of least privilege mandates that users be granted only the access necessary to perform their duties. Assessors confirm compliance by reviewing user access lists, ensuring privileged access is limited, documented, and assigned only where required.
Exact Extracts:
AC.L2-3.1.5: “Employ the principle of least privilege, including for specific security functions and privileged accounts.”
Assessment Guide: “Evidence includes user access lists, role-based access assignments, and documentation of privileged accounts.”
NIST SP 800-171A Objective: “Examine system access lists, rights, and permissions for least privilege.”
Why other options are not correct:
A (Authentication policy): Pertains to verifying identity, not enforcing least privilege.
B (System configurations): Provide technical settings, but access lists are the primary evidence for least privilege.
D (Terminated employees list): Tied to AC.L2-3.1.2 (Access enforcement) and AC.L2-3.1.7 (Account management), not least privilege.
[References:, CMMC Assessment Guide – Level 2, Version 2.13: AC.L2-3.1.5 (pp. 17–19)., NIST SP 800-171A: Assessment procedures for least privilege., ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit