AC.L2-3.1.5 — Employ the principle of least privilege, including for specific security functions and privileged accounts.
What this control requires
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Source: CMMC L2 v2.13 AC.L2-3.1.5 / NIST SP 800-171 R2 3.1.5 (official control text).
Why this matters
Least privilege limits the blast radius when credentials are compromised or insiders act maliciously. Every excess permission is an attack surface—if a marketing coordinator has domain admin rights, a phishing email becomes a full network breach. This control forces organizations to grant only the specific permissions each user, service account, and process needs to perform their job, then revoke or rotate those privileges when roles change. It protects intellectual property, financial data, and system integrity by ensuring that even legitimate users cannot accidentally or intentionally access resources beyond their responsibility.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L2-3.1.5.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →