CMMCDocs.comAC.L2-3.1.5
Also known as: Least privilege requirement
The NIST SP 800-171 requirement that mandates the principle of least privilege — users get the minimum access necessary for their job.
AC.L2-3.1.5 requires the contractor to 'employ the principle of least privilege, including for specific security functions and privileged accounts.' Least privilege is one of the foundational concepts of cybersecurity: every user, process, and account should have only the access necessary to perform its function — no more.
In practice, this means avoiding default-admin patterns, segmenting privileged accounts from day-to-day user accounts, using just-in-time elevation rather than standing privilege, and periodically reviewing what each role can actually do.
A C3PAO will ask for the role definitions, sample a few accounts, and verify that the privilege level matches the role description.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account