3.1.5 — Minimum Necessary
What It Says
Section titled “What It Says”Employ the principle of least privilege, including for specific security functions and privileged accounts.
What It Actually Means
Section titled “What It Actually Means”Start everyone at zero access. Add only what their job requires. Review regularly.
Three things the assessor needs to see:
- A list of every privileged account — with a justification for why each one exists
- Evidence that privilege is only granted when needed — not “just in case” or “because they asked”
- Identified security functions — you know which system functions (audit config, access management, security settings) require elevated access
The most common failure: users accumulate permissions over time as they move between projects or roles, but nobody ever revokes the old ones. That’s privilege creep, and assessors look for it specifically.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are privileged accounts identified and documented? | A list with names, justifications, and review dates |
| 2 | Is privileged access granted only when necessary? | Not by default — only for specific job functions |
| 3 | Are security functions requiring privilege identified? | Documented list of functions needing elevated access |
| 4 | Do non-security functions use non-privileged accounts? | Admins switch accounts for everyday work (see 3.1.6) |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Access control policy, least privilege procedures, system security plan, privileged account list with justifications, system configuration, access review records, audit logs
People they’ll talk to: Account managers, sysadmins, security staff, personnel defining least privilege for specific tasks
Live demos they’ll ask for: “Show me your privileged account list. Justify this one. Show me what happens when a user with basic permissions tries to access an admin function.”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me your list of privileged accounts. What justifies each one?”
- “How do you ensure privileged access is revoked when no longer needed?”
- “Show me evidence of a periodic review of privileged access.”
- “What security functions have you identified that require privileged accounts?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Everyone is a local admin. Workstations with local admin rights for all users. This is the most common shortcut and the fastest way to fail.
Privilege creep. Users accumulate permissions over years. Old permissions never revoked. Run quarterly access reviews.
No privileged account inventory. Admins exist but nobody has a complete list of who has elevated access and why.
Over-permissioned service accounts. Automated processes running as domain admin when they only need read access to one database.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.1.2 — What They Can Do | Limits functions per role |
| 3.1.4 — No One Person Runs the Show | Ensures critical functions aren’t concentrated |
| 3.1.6 — Two Hats, Two Accounts | Admins use regular accounts for non-admin work |
| 3.1.7 — Log the Admin Work | Logs when privileged functions are executed |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: AC.L2-3.1.5 | SPRS Weight: 3 points | POA&M Eligible: No