Navigate

AC-6

AC-6: Least Privilege

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Supplemental

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Classified, Int-A, Int-B, Int-C, Privacy (High), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.AC-4, PR.DS-5

Related Controls

The controls below (if any) were marked by NIST as being related to AC-6.

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [one of ]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [one of ] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [one of ]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [one of ]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-5	The organization: a: Separates [one of ]; b: Documents separation of duties of individuals; and c: Defines information system access authorizations to support separation of duties.
CM-6	The organization: a: Establishes and documents configuration settings for information technology products employed within the information system using [one of ] that reflect the most restrictive mode consistent with operational requirements; b: Implements the configuration settings; c: Identifies, documents, and approves any deviations from established configuration settings for [one of ] based on [one of ]; and d: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-7	The organization: a: Configures the information system to provide only essential capabilities; and b: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [one of ].
PL-2	The organization: a: Develops a security plan for the information system that: 1: Is consistent with the organization’s enterprise architecture; 2: Explicitly defines the authorization boundary for the system; 3: Describes the operational context of the information system in terms of missions and business processes; 4: Provides the security categorization of the information system including supporting rationale; 5: Describes the operational environment for the information system and relationships with or connections to other information systems; 6: Provides an overview of the security requirements for the system; 7: Identifies any relevant overlays, if applicable; 8: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b: Distributes copies of the security plan and communicates subsequent changes to the plan to [one of ]; c: Reviews the security plan for the information system [one of ]; d: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e: Protects the security plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of AC-6.

Control	Description
AC-6(1)	The organization explicitly authorizes access to [one of ].
AC-6(2)	The organization requires that users of information system accounts, or roles, with access to [one of ], use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6(3)	The organization authorizes network access to [one of ] only for [one of ] and documents the rationale for such access in the security plan for the information system.
AC-6(4)	The information system provides separate processing domains to enable finer-grained allocation of user privileges.
AC-6(5)	The organization restricts privileged accounts on the information system to [one of ].
AC-6(6)	The organization prohibits privileged access to the information system by non-organizational users.
AC-6(7)	The organization: (a): Reviews [one of ] the privileges assigned to [one of ] to validate the need for such privileges; and (b): Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
AC-6(8)	The information system prevents [one of ] from executing at higher privilege levels than users executing the software.
AC-6(9)	The information system audits the execution of privileged functions.
AC-6(10)	The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Related CCIs

The CCIs below are tied to AC-6.

CCI	Definition
CCI-000225	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned organizational tasks.