AC.L2-3.1.6 — Use non-privileged accounts or roles when accessing nonsecurity functions.

What this control requires

Use non-privileged accounts or roles when accessing nonsecurity functions.

Source: CMMC L2 v2.13 AC.L2-3.1.6 / NIST SP 800-171 R2 3.1.6 (official control text).

Why this matters

Privileged accounts have elevated permissions that can alter system configurations, access sensitive data, or disrupt operations. When users perform routine tasks—like reading email, browsing documentation, or editing spreadsheets—while logged into admin accounts, they expand the attack surface for credential theft, malware execution, and social engineering. This control enforces the principle of least privilege by requiring users to operate with standard permissions for everyday work and elevate only when performing administrative functions. Separating privileged access from routine activity reduces the blast radius of compromised credentials and limits insider threat opportunities.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls