Navigate

AC-6

AC-6: Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Supplemental

Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, Classified, DAF Baseline, Int-A, Int-B, Int-C, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.AC-4, PR.DS-5

Related Controls

The controls below (if any) were marked by NIST as being related to AC-6.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-5	a: Identify and document [duties of individuals requiring separation are defined;] ; and b: Define system access authorizations to support separation of duties.
AC-16	a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission; b: Ensure that the attribute associations are made and retained with the information; c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ]; d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;]; e: Audit changes to attributes; and f: Review [one of ] for applicability [one of ].
CM-5	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
CM-11	a: Establish [policies governing the installation of software by users are defined;] governing the installation of software by users; b: Enforce software installation policies through the following methods: [methods used to enforce software installation policies are defined;] ; and c: Monitor policy compliance [frequency with which to monitor compliance is defined;].
PL-2	a: Develop security and privacy plans for the system that: 1: Are consistent with the organization’s enterprise architecture; 2: Explicitly define the constituent system components; 3: Describe the operational context of the system in terms of mission and business processes; 4: Identify the individuals that fulfill system roles and responsibilities; 5: Identify the information types processed, stored, and transmitted by the system; 6: Provide the security categorization of the system, including supporting rationale; 7: Describe any specific threats to the system that are of concern to the organization; 8: Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10: Provide an overview of the security and privacy requirements for the system; 11: Identify any relevant control baselines or overlays, if applicable; 12: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13: Include risk determinations for security and privacy architecture and design decisions; 14: Include security- and privacy-related activities affecting the system that require planning and coordination with [individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;] ; and 15: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b: Distribute copies of the plans and communicate subsequent changes to the plans to [personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;]; c: Review the plans [frequency to review system security and privacy plans is defined;]; d: Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e: Protect the plans from unauthorized disclosure and modification.
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
SA-8	Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [one of ].
SA-15	a: Require the developer of the system, system component, or system service to follow a documented development process that: 1: Explicitly addresses security and privacy requirements; 2: Identifies the standards and tools used in the development process; 3: Documents the specific tool options and tool configurations used in the development process; and 4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b: Review the development process, standards, tools, tool options, and tool configurations [frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [one of ].
SA-17	Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a: Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b: Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c: Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
SC-38	Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined;].

Enhancements

The controls below (if any) add on to the requirements of AC-6.

Control	Description
AC-6(1)	Authorize access for [individuals and roles with authorized access to security functions and security-relevant information are defined;] to: (a): [one of ] ; and (b): [security-relevant information for authorized access is defined;].
AC-6(2)	Require that users of system accounts (or roles) with access to [security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;] use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6(3)	Authorize network access to [privileged commands to which network access is to be authorized only for compelling operational needs are defined;] only for [compelling operational needs necessitating network access to privileged commands are defined;] and document the rationale for such access in the security plan for the system.
AC-6(4)	Provide separate processing domains to enable finer-grained allocation of user privileges.
AC-6(5)	Restrict privileged accounts on the system to [personnel or roles to which privileged accounts on the system are to be restricted is/are defined;].
AC-6(6)	Prohibit privileged access to the system by non-organizational users.
AC-6(7)	(a): Review [the frequency at which to review the privileges assigned to roles or classes of users is defined;] the privileges assigned to [roles or classes of users to which privileges are assigned are defined;] to validate the need for such privileges; and (b): Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
AC-6(8)	Prevent the following software from executing at higher privilege levels than users executing the software: [software to be prevented from executing at higher privilege levels than users executing the software is defined;].
AC-6(9)	Log the execution of privileged functions.
AC-6(10)	Prevent non-privileged users from executing privileged functions.

Related CCIs

The CCIs below are tied to AC-6.

CCI	Definition
CCI-000225	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned organizational tasks.