SC.L2-3.13.3 — Separate user functionality from system management functionality.

What this control requires

Separate user functionality from system management functionality.

Source: CMMC L2 v2.13 SC.L2-3.13.3 / NIST SP 800-171 R2 3.13.3 (official control text).

Why this matters

Mixing everyday user tasks with system administration functions creates unnecessary risk. When admin tools and user applications share the same authentication, network paths, or interfaces, a compromised user account can escalate into full system compromise. Attackers exploiting phishing, malware, or credential theft target administrative access precisely because it grants control over entire systems. Separating these functions—whether through distinct consoles, segregated networks, privileged access workstations, or isolated authentication—ensures that even if a user environment is breached, adversaries cannot immediately pivot to managing critical infrastructure, modifying security settings, or accessing sensitive administrative functions.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls