Mapped to NIST 800-171 Requirement: 3.1.7
CMMC Assessment Objective: AC.L2-3.1.7[b]
What This Objective Means
This control builds on AC.L2-3.1.7[a] by focusing on the policy layer. It requires that your organization:
• Has formally identified privileged functions
• Has documented in policy that those functions must only be performed by privileged accounts
The policy should create a clear line between standard and elevated roles, making it clear who is allowed to perform which tasks—and under what circumstances.
Why It Matters
If your policy doesn’t enforce separation between standard and privileged accounts:
• Users may perform sensitive actions using general-purpose accounts
• Privileged access could go unmonitored or be misused
• You’ll lack defensible documentation during audits or investigations
A well-written policy ensures privileged actions are handled with intention and oversight.
How to Implement It
• Review your Access Control Policy or SSP
• Include language such as:
◦ “Privileged functions shall only be performed using accounts authorized for privileged access.”
◦ “Standard user accounts shall not be granted administrative capabilities.”
• Link this policy requirement to your list of privileged functions (from 3.1.7[a])
• Ensure policy is reviewed, approved, and version-controlled
Evidence the Assessor Will Look For
• A current access control policy that specifically addresses the use of privileged accounts
• Definitions of “privileged function” and “privileged account” in policy language
• Documentation showing how policy is enforced (e.g., provisioning procedures, role templates)
• Change history showing recent updates to incorporate or reinforce this policy
Common Gaps
• No clear distinction in policy between standard and privileged account use
• Privileged tasks performed using generic user accounts
• Privileged accounts used for both admin and non-admin activities, with no guidance or restrictions
How Cuick Trac Helps
Cuick Trac enforces policy-based control of privileged accounts by:
• Restricting sensitive administrative actions to specific, approved accounts
• Logging all use of privileged functions for audit and security review
• Providing access policy templates that define proper use of privileged accounts
• Blocking administrative actions from being executed by non-privileged users
With Cuick Trac, policy and system behavior are perfectly aligned—privileged functions are performed only by the people and accounts meant to do them.
Final CTA
Policies create boundaries—and boundaries protect your systems.
Schedule a Cuick Trac demo and make sure your policies enforce privileged access the right way.