AC.L2-3.1.6: Non-Privileged Account Use in CMMC Level 2
The principle of least privilege starts with daily practice: using non-privileged accounts for non-security functions protects your environment from lateral movement and privilege escalation attacks. CMMC Level 2 requires enforcing this discipline across your organization. Implement this control to reduce your attack surface and demonstrate strong access governance to customers and assessors.
What this means
This control requires your organization to use standard, unprivileged user accounts for routine work—email, document editing, web browsing, and other non-administrative tasks. Administrative or privileged accounts should only be used when performing security-related or system administration functions that genuinely require elevated permissions. This separation minimizes exposure if a user account is compromised.
How to comply
- 1.Inventory all user accounts and classify them as privileged (administrative) or non-privileged (standard user)
- 2.Configure role-based access control (RBAC) so each user receives only the minimum permissions required for their role
- 3.Require administrators and security personnel to use separate non-privileged accounts for daily work
- 4.Disable or restrict default administrative accounts; create named administrative accounts tied to individuals
- 5.Enforce policy requiring users to authenticate with non-privileged credentials before elevating to admin when necessary
- 6.Monitor and audit the use of privileged accounts to detect and investigate unauthorized privilege use
- 7.Document your account classification scheme and privileged account usage policy
Evidence auditors look for
- Account management policy or procedure document defining privileged vs. non-privileged account use
- Role-based access control (RBAC) matrix showing user accounts and their assigned permission levels
- Active Directory or identity management system configuration showing standard users without admin rights
- Privileged account list with designated admin accounts and their owners
- Audit logs showing privileged account activity and elevation requests
- User access reviews documenting the principle of least privilege
- Configuration screenshots from Windows, Linux, or cloud environments showing non-admin user accounts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps your Active Directory and cloud identity systems to verify non-privileged account usage, flag admin accounts used for routine tasks, and generate audit-ready reports—eliminating manual account reviews for AC.L2-3.1.6 compliance.
See how GRCWatch handles this control automatically
Start free trial