03.01.06 — (a) Restrict privileged accounts on the system to {{ insert: param, A.03.01.06.ODP.01 }}.. (b) Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.

What this control requires

(a) Restrict privileged accounts on the system to {{ insert: param, A.03.01.06.ODP.01 }}.. (b) Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.

Source: NIST SP 800-171 R3 §03.01.06 (official control text).

Why this matters

Privileged accounts—administrator, root, or super-user credentials—hold the keys to every sensitive system and dataset. If an attacker compromises one, they can disable security controls, exfiltrate CUI, install backdoors, or wipe audit logs. This control forces organizations to limit who receives elevated privileges and mandates that even those privileged users operate with standard accounts for everyday tasks like reading email or browsing documentation. The principle is simple: reduce the attack surface by ensuring elevated rights are active only when genuinely needed. Restricting privileged accounts to a named, justified list prevents privilege creep and ensures accountability when something goes wrong.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls