CMMCDocs.comHome / Glossary / Least Privilege
Least Privilege
Also known as: Principle of least privilege
The cybersecurity principle that every user, process, and account should have only the minimum access necessary to perform its function. Required by AC.L2-3.1.5.
Least privilege is a foundational cybersecurity principle: every user, process, and system component should have only the minimum access rights necessary to perform its assigned function. It is required by NIST SP 800-171 AC.L2-3.1.5.
In practice, least privilege means avoiding default-administrator patterns, segmenting privileged accounts from day-to-day user accounts, using just-in-time elevation rather than standing privilege, and periodically reviewing what each role can actually do.
A mature least-privilege implementation includes role-based access control (RBAC), separation of duties, account reviews, and a documented rationale for each privilege level.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account