Skip to main content
NetStable
Level 2 AC.L2-3.1.5

Employ the principle of least privilege

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

The principle of least privilege means giving users and systems only the minimum access they need to perform their job functions. This reduces the risk of accidental or intentional misuse of sensitive information. For example, an employee in the HR department should have access to personnel files but not financial records. Similarly, a web server should have access to its own application files but not to the entire server's file system. This control is crucial for protecting Controlled Unclassified Information (CUI) and ensuring that access is tightly controlled.

🎯 Why It Matters

Without least privilege, users and systems may have excessive access, increasing the risk of data breaches, insider threats, and malware spreading. For instance, in the 2017 Equifax breach, hackers exploited a vulnerability in a web application that had excessive privileges, leading to the exposure of 147 million records. The DoD emphasizes least privilege to protect CUI and ensure that only authorized personnel can access sensitive information. Implementing least privilege minimizes the attack surface and limits potential damage from compromised accounts.

How to Implement

  1. 1. Use Identity and Access Management (IAM) roles in AWS, Azure, or GCP to define granular permissions.
  2. 2. Regularly review and update IAM policies to ensure they align with job functions.
  3. 3. Implement role-based access control (RBAC) in cloud environments.
  4. 4. Use Azure AD Privileged Identity Management (PIM) or AWS IAM Access Analyzer to monitor and manage permissions.
  5. 5. Enable Just-In-Time (JIT) access for privileged accounts.
  6. 6. Use cloud-native tools to enforce least privilege for service accounts.
  7. 7. Regularly audit permissions using cloud provider's access reports.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for small organizations, requiring intermediate IT skills.

📋 Evidence Examples

IAM Policy Document

Format: PDF
Frequency: Quarterly
Contents: Detailed IAM roles and permissions
Collection: Export from AWS/Azure/GCP console

Access Control Policy

Format: Word/PDF
Frequency: Annually
Contents: Policy defining least privilege principles
Collection: Create/update document

Permission Audit Report

Format: Excel/CSV
Frequency: Monthly
Contents: List of users and their permissions
Collection: Run audit script or use tool

Training Records

Format: Excel/PDF
Frequency: Annually
Contents: Employee training on least privilege
Collection: Track training sessions

Configuration Screenshots

Format: PNG/JPG
Frequency: Quarterly
Contents: IAM role/permission settings
Collection: Capture from cloud console

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.5 ("Employ the principle of least privilege"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to employ the principle of least privilege. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to employ the principle of least privilege. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where employ the principle of least privilege applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.5
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented access control policy that enforces least privilege?

✅ YES → Proceed to Q2
❌ NO → GAP: Create an access control policy defining least privilege principles. Timeline: 1 week.

Question 2: Are user permissions regularly reviewed and updated based on job roles?

✅ YES → Proceed to Q3
❌ NO → GAP: Implement a quarterly review process for user permissions. Timeline: 2 weeks.

Question 3: Are administrative privileges restricted and separate from regular user accounts?

✅ YES → Proceed to Q4
❌ NO → GAP: Create separate admin accounts and restrict privileges. Timeline: 1 week.

Question 4: Do you use RBAC to manage permissions in your environment?

✅ YES → Proceed to Q5
❌ NO → GAP: Implement RBAC in Active Directory or cloud IAM. Timeline: 2 weeks.

Question 5: Are permissions regularly audited and documented?

✅ YES → Compliance confirmed
❌ NO → GAP: Implement a monthly audit process for permissions. Timeline: 2 weeks.

⚠️ Common Mistakes (What Auditors Flag)

1. Over-privileged accounts

Why this happens: Lack of regular review and updates
How to avoid: Implement quarterly permission reviews.

2. No separate admin accounts

Why this happens: Convenience of using one account
How to avoid: Create separate admin accounts.

3. Inconsistent permissions across environments

Why this happens: Lack of synchronization between cloud and on-premise
How to avoid: Use tools like Azure AD Connect.

4. Missing access control policy

Why this happens: Policy not created or outdated
How to avoid: Create and maintain an access control policy.

5. Insufficient training

Why this happens: Employees not trained on least privilege
How to avoid: Conduct annual training sessions.

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.1 AC.L2-3.1.2 AC.L2-3.1.3 AC.L2-3.1.4
Previous
AC.L2-3.1.4
Back to AC
Next
AC.L2-3.1.6