NIST 800-171 Control 3.1.5: Employ Least Privilege
Least privilege is a foundational security principle that limits user access to only what's necessary for their role. Under NIST 800-171, organizations must enforce least privilege for all users and especially for privileged accounts that pose elevated risk. This control reduces attack surface and prevents credential abuse.
What this means
Least privilege means granting users and systems only the minimum permissions required to complete their job functions. This applies to standard user accounts, administrative accounts, service accounts, and application access. The principle requires regular review and removal of unnecessary permissions, particularly for high-risk privileged accounts that can alter system configurations or access sensitive data.
How to comply
- 1.Document all user roles and the specific access permissions each role requires
- 2.Configure access controls to match defined roles rather than granting broad permissions
- 3.Separate regular user accounts from privileged accounts to prevent accidental misuse
- 4.Implement privileged access management (PAM) solutions to monitor and control administrative access
- 5.Conduct quarterly access reviews to identify and revoke unnecessary permissions
- 6.Use time-limited access for temporary elevated privileges instead of permanent admin status
- 7.Apply least privilege to application service accounts and automated processes
- 8.Log and monitor all privileged account activities for unauthorized access attempts
Evidence auditors look for
- Role-based access control (RBAC) policy documents with defined permission matrices
- User access reviews with manager sign-off showing removal of excess permissions
- Privileged access management system logs showing time-limited elevation requests
- Service account inventory with documented minimum required permissions per account
- Administrative account separation logs showing creation of non-privileged day-to-day accounts
- Access control configuration exports from directory services (Active Directory, Okta, etc.)
- Audit trails showing periodic deprovisioning of unused or transferred user accounts
- PAM session recordings or command logs for sensitive administrative activities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates quarterly access reviews and maintains a real-time user permission inventory synchronized with your directory service, eliminating manual spreadsheets and flagging excessive privileges before auditors do.
See how GRCWatch handles this control automatically
Start free trial