bigforceone
NIST 800-171 r3 · Access Control

03.01.05(a) Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. (b) Authorize access to {{ insert: param, A.03.01.05.ODP.01 }} and {{ insert: param, A.03.01.05.ODP.02 }}. (c) Review the privileges assigned to roles or classes of users {{ insert: param, A.03.01.05.ODP.03 }} to validate the need for such privileges. (d) Reassign or remove privileges, as necessary.

What this control requires

(a) Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. (b) Authorize access to {{ insert: param, A.03.01.05.ODP.01 }} and {{ insert: param, A.03.01.05.ODP.02 }}. (c) Review the privileges assigned to roles or classes of users {{ insert: param, A.03.01.05.ODP.03 }} to validate the need for such privileges. (d) Reassign or remove privileges, as necessary.

Source: NIST SP 800-171 R3 §03.01.05 (official control text).

Why this matters

Least privilege is the cornerstone of access control—it ensures users and automated processes receive only the minimum permissions required to perform their specific job functions, nothing more. When accounts accumulate excessive rights over time (privilege creep) or are provisioned with broad access by default, a single compromised credential can expose sensitive CUI across multiple systems. Attackers specifically target over-privileged accounts because one breach yields maximum damage. By restricting access to security functions, security-relevant information, and privileged commands to only those personnel with verified need, the organization dramatically shrinks the attack surface. Regular privilege reviews catch drift before it becomes exploitable, while prompt removal of unnecessary access closes windows of opportunity.

What evidence assessors expect

Assessors typically look for: CSV export, PDF, configuration export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls

AC.L2-3.1.5

See your live posture on 03.01.05.

FORCE shows where you stand on this control and walks you through closing it.

Start a free trial tenant →
← All controls