Navigate

AC-6

AC-6 Description

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Supplemental

Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Classified, Int-A, Int-B, Int-C, Privacy (High), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to AC-6.

Control	Description
AC-2	The organization: AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; AC-2b.: Assigns account managers for information system accounts; AC-2c.: Establishes conditions for group and role membership; AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; AC-2g.: Monitors the use of information system accounts; AC-2h.: Notifies account managers: AC-2h.1.: When accounts are no longer required; AC-2h.2.: When users are terminated or transferred; and AC-2h.3.: When individual information system usage or need-to-know changes; AC-2i.: Authorizes access to the information system based on: AC-2i.1.: A valid access authorization; AC-2i.2.: Intended system usage; and AC-2i.3.: Other attributes as required by the organization or associated missions/business functions; AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-5	The organization: AC-5a.: Separates [Assignment: organization-defined duties of individuals]; AC-5b.: Documents separation of duties of individuals; and AC-5c.: Defines information system access authorizations to support separation of duties.
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-7	The organization: CM-7a.: Configures the information system to provide only essential capabilities; and CM-7b.: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
PL-2	The organization: PL-2a.: Develops a security plan for the information system that: PL-2a.1.: Is consistent with the organization�s enterprise architecture; PL-2a.2.: Explicitly defines the authorization boundary for the system; PL-2a.3.: Describes the operational context of the information system in terms of missions and business processes; PL-2a.4.: Provides the security categorization of the information system including supporting rationale; PL-2a.5.: Describes the operational environment for the information system and relationships with or connections to other information systems; PL-2a.6.: Provides an overview of the security requirements for the system; PL-2a.7.: Identifies any relevant overlays, if applicable; PL-2a.8.: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and PL-2a.9.: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2b.: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2c.: Reviews the security plan for the information system [Assignment: organization-defined frequency]; PL-2d.: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2e.: Protects the security plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of AC-6.

Control	Description
AC-6 (1)	The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
AC-6 (2)	The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6 (3)	The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
AC-6 (4)	The information system provides separate processing domains to enable finer-grained allocation of user privileges.
AC-6 (5)	The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
AC-6 (6)	The organization prohibits privileged access to the information system by non-organizational users.
AC-6 (7)	The organization: AC-6 (7)(a): Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and AC-6 (7)(b): Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
AC-6 (8)	The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
AC-6 (9)	The information system audits the execution of privileged functions.
AC-6 (10)	The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Related CCIs

The CCIs below are tied to AC-6.

CCI	Definition
CCI-000225	The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.