03.01.07 — (a) Prevent non-privileged users from executing privileged functions. (b) Log the execution of privileged functions.

What this control requires

(a) Prevent non-privileged users from executing privileged functions. (b) Log the execution of privileged functions.

Source: NIST SP 800-171 R3 §03.01.07 (official control text).

Why this matters

Privileged functions—creating accounts, modifying security configurations, managing encryption keys, patching systems—can permanently alter an organization's security posture if misused. When non-privileged users gain access to these capabilities, either through misconfiguration or compromise, attackers can disable defenses, install backdoors, or exfiltrate data undetected. This control enforces a hard boundary: only accounts explicitly designated as privileged may execute privileged operations, and every such execution must be logged. The logging component is critical for detecting insider threats and advanced persistent threats who have compromised administrative credentials. Without these guardrails, organizations cannot distinguish legitimate maintenance from malicious activity until damage is already done.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, log file, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls