CCI-000039

Require that users of system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts or roles, when accessing nonsecurity functions.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to require that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information.

Compelling Evidence

1.) Signed and dated access control policy 2.) Signed and dated system security plan (SSP) 3.) Provide signed and dated documentation that defines the process to require that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing non-security functions.

The controls below (if any) were marked by NIST as being related to CCI-000039.