AC-6: Least Privilege

The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].

The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.

The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].

The organization prohibits privileged access to the information system by non-organizational users.

The organization: Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.

The information system audits the execution of privileged functions.

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.