AC.L2-3.1.7 — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
What this control requires
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Source: CMMC L2 v2.13 AC.L2-3.1.7 / NIST SP 800-171 R2 3.1.7 (official control text).
Why this matters
Privileged functions—creating accounts, changing system settings, installing software, managing encryption keys—can reconfigure or compromise entire systems if misused. This control prevents standard users from executing these high-risk operations and logs every privileged action so security teams can detect insider threats, compromised accounts, or policy violations. Without enforcement, a single user account can escalate privileges, disable protections, or exfiltrate data undetected. Logging creates an audit trail that supports forensic investigations and deters abuse by making privileged actions visible and accountable.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L2-3.1.7.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →