IAC-21: Least Privilege

IAC 10 — Critical Protect

Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

Control Question: Does the organization utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions?

General (53)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC5.2-POF3 CC6.1 CC6.1-POF12 CC6.1-POF13 CC6.1-POF7
CIS CSC 8.1	5.4
CIS CSC 8.1 IG1	5.4
CIS CSC 8.1 IG2	5.4
CIS CSC 8.1 IG3	5.4
CSA CCM 4	IAM-05
CSA IoT SCF 2	IAM-06
ENISA 2.0	SO11
GovRAMP Core	AC-06
GovRAMP Low+	AC-06
GovRAMP Moderate	AC-06
GovRAMP High	AC-06
IEC TR 60601-4-5 2021	4.4
IEC 62443-4-2 2019	CCSC 3 (4.4) FR 5 (9.1)
ISO 27002 2022	5.15 5.18 8.3 8.12
ISO 27017 2015	9.1.2 9.2.2
MITRE ATT&CK 10	T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1025, T1036, T1036.003, T1036.005, T1041, T1047, T1048, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1053.007, T1055, T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1056.003, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1072, T1078, T1078.001, T1078.002, T1078.003, T1078.004, T1087.004, T1091, T1098, T1098.001, T1098.002, T1098.003, T1106, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1112, T1133, T1134, T1134.001, T1134.002, T1134.003, T1134.005, T1136, T1136.001, T1136.002, T1136.003, T1137, T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006, T1176, T1185, T1189, T1190, T1197, T1199, T1200, T1203, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.007, T1222, T1222.001, T1222.002, T1484, T1485, T1486, T1489, T1490, T1491, T1491.001, T1491.002, T1495, T1505, T1505.002, T1505.003, T1505.004, T1525, T1528, T1530, T1537, T1538, T1539, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546.003, T1546.004, T1546.011, T1546.013, T1547.003, T1547.004, T1547.006, T1547.009, T1547.011, T1547.012, T1547.013, T1548, T1548.002, T1548.003, T1550, T1550.002, T1550.003, T1552, T1552.001, T1552.002, T1552.006, T1552.007, T1553, T1553.003, T1553.006, T1556, T1556.001, T1556.003, T1556.004, T1558, T1558.001, T1558.002, T1558.003, T1559, T1559.001, T1559.002, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1563, T1563.001, T1563.002, T1567, T1569, T1569.001, T1569.002, T1574, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1578, T1578.001, T1578.002, T1578.003, T1580, T1599, T1599.001, T1601, T1601.001, T1601.002, T1606, T1606.001, T1606.002, T1609, T1610, T1611, T1612, T1613, T1619
MPA Content Security Program 5.1	TS-2.6
NIST Privacy Framework 1.0	PR.AC-P4
NIST 800-53 R4	AC-6
NIST 800-53 R4 (moderate)	AC-6
NIST 800-53 R4 (high)	AC-6
NIST 800-53 R5 (source)	AC-6 SA-8(14)
NIST 800-53B R5 (moderate) (source)	AC-6
NIST 800-53B R5 (high) (source)	AC-6
NIST 800-53 R5 (NOC) (source)	SA-8(14)
NIST 800-82 R3 MODERATE OT Overlay	AC-6
NIST 800-82 R3 HIGH OT Overlay	AC-6
NIST 800-161 R1	AC-6
NIST 800-171 R2 (source)	3.1.5
NIST 800-171A (source)	3.1.5[b] 3.1.5[c] 3.1.5[d]
NIST 800-171 R3 (source)	03.01.01.c.03 03.01.01.d.01 03.01.01.d.02 03.01.04.b 03.01.05.a 03.01.05.b 03.01.06.a 03.01.07.a 03.03.08.a 03.03.08.b 03.04.05
NIST 800-171A R3 (source)	A.03.01.02[02] A.03.01.05.a
NIST 800-207	NIST Tenet 3
NIST CSF 2.0 (source)	PR.AA-05 PR.DS-10
OWASP Top 10 2021	A01:2021
PCI DSS 4.0.1 (source)	1.3 3.4 3.4.2 7.1 7.2 7.2.1 7.2.2 7.2.6 7.3 7.3.1 7.3.2 7.3.3 8.6 8.6.1
PCI DSS 4.0.1 SAQ A-EP (source)	7.2.2 8.6.1
PCI DSS 4.0.1 SAQ B (source)	7.2.2
PCI DSS 4.0.1 SAQ B-IP (source)	7.2.2
PCI DSS 4.0.1 SAQ C (source)	7.2.2 8.6.1
PCI DSS 4.0.1 SAQ C-VT (source)	7.2.2
PCI DSS 4.0.1 SAQ D Merchant (source)	3.4.2 7.2.1 7.2.2 7.2.6 7.3.1 7.3.2 7.3.3 8.6.1
PCI DSS 4.0.1 SAQ D Service Provider (source)	3.4.2 7.2.1 7.2.2 7.2.6 7.3.1 7.3.2 7.3.3 8.6.1
SPARTA	CM0039
SWIFT CSF 2023	1.2 2.10 5.1
TISAX ISA 6	4.2.1
UL 2900-1 2017	8.7
SCF CORE Fundamentals	IAC-21
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	IAC-21
SCF CORE ESP Level 1 Foundational	IAC-21
SCF CORE ESP Level 2 Critical Infrastructure	IAC-21
SCF CORE ESP Level 3 Advanced Threats	IAC-21

US (32)

Framework	Mapping Values
US C2M2 2.1	ACCESS-1.G.MIL2 ACCESS-2.D.MIL2 ARCHITECTURE-2.E.MIL2 ARCHITECTURE-3.C.MIL2
US CERT RMM 1.2	AM:SG1.SP1 ID:SG1.SP1 ID:SG1.SP2 ID:SG1.SP3
US CJIS Security Policy 5.9.3 (source)	AC-6
US CMMC 2.0 Level 2 (source)	AC.L2-3.1.5
US CMMC 2.0 Level 3 (source)	AC.L2-3.1.5
US CMS MARS-E 2.0	AC-6
US DoD Zero Trust Execution Roadmap	1.7 4.7
US DHS CISA TIC 3.0	3.UNI.LPRIV
US DHS ZTCF	ACC-01
US FDA 21 CFR Part 11	11.10 11.10(d)
US FedRAMP R4	AC-6
US FedRAMP R4 (moderate)	AC-6
US FedRAMP R4 (high)	AC-6
US FedRAMP R5 (source)	AC-6
US FedRAMP R5 (moderate) (source)	AC-6
US FedRAMP R5 (high) (source)	AC-6
US FFIEC	D3.PC.Am.B.1 D3.PC.Am.B.2 D3.PC.Am.B.5
US GLBA CFR 314 2023 (source)	314.4(c)(1)(i)
US HIPAA Administrative Simplification 2013 (source)	164.308(a)(3)(i) 164.312(a)(1)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.308(a)(3)(i) 164.312(a)(1)
US HIPAA HICP Small Practice	2.S.A 3.S.A 6.S.A 6.S.B
US HIPAA HICP Medium Practice	2.M.A 3.M.B 9.M.C
US HIPAA HICP Large Practice	2.M.A 3.M.B 9.M.C 3.L.C 5.L.B 6.L.E
US IRS 1075	2.C.6 2.C.11 2.C.11.1 2.C.11.2 2.C.11.3 2.C.11.4 2.C.11.5 2.C.11.6 2.C.11.7 2.C.11.8 2.D.6 2.E.6.2 AC-6
US NISPOM 2020	8-303
US NSTC NSPM-33	6.2
US SSA EIESR 8.0	5.3
US TSA / DHS 1580/82-2022-01	III.C.3
US - CA CCPA 2025	7123(c)(3)(A) 7123(c)(3)(A)(iii) 7123(c)(3)(B)
US - NY DFS 23 NYCRR500 2023 Amd 2	500.7(a)(1) 500.7(a)(2)
US - OR 646A	622(2)(d)(C)(iii)
US - TX DIR Control Standards 2.0	AC-6

EMEA (11)

Framework	Mapping Values
EMEA EU Cyber Resiliency Act Annexes	Annex 1.1(3)(e)
EMEA EU DORA	9.4(c)
EMEA EU NIS2 Annex	11.2.2(a) 11.2.2(d) 11.3.2(c) 11.3.2(d) 6.7.2(g)
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	6.2
EMEA Germany C5 2020	IDM-07
EMEA Israel CDMO 1.0	4.10 12.29
EMEA Saudi Arabia IoT CGIoT-1 2024	2-2-1
EMEA Saudi Arabia OTCC-1 2022	2-3-1-4
EMEA Spain BOE-A-2022-7191	17 20
EMEA Spain 311/2022	17 20
EMEA UK DEFSTAN 05-138	2205 2206

APAC (6)

Framework	Mapping Values
APAC Australia Essential 8	ML1-P4 ML2-P4 ML3-P4
APAC Australia ISM June 2024	ISM-0441 ISM-0611 ISM-1380 ISM-1392 ISM-1705 ISM-1706 ISM-1707 ISM-1708
APAC India SEBI CSCRF	PR.AA.S3
APAC Japan ISMAP	9.1.2 9.2.2 9.2.2.8.PB
APAC New Zealand NZISM 3.6	16.2.4.C.01 16.4.31.C.01 16.4.31.C.02 23.4.10.C.01
APAC Singapore MAS TRM 2021	9.1.1

Americas (2)

Framework	Mapping Values
Americas Canada OSFI B-13	3.2.7
Americas Canada ITSP-10-171	03.01.01.C.03 03.01.01.D.01 03.01.01.D.02 03.01.04.B 03.01.05.A 03.01.05.B 03.01.06.A 03.01.07.A 03.03.08.A 03.03.08.B 03.04.05

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.

Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
IT personnel:
Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.

Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

Assessment Objectives

IAC-21_A01 organization-defined systems or system components implement the security design principle of least privilege.
IAC-21_A02 privileged accounts are identified.
IAC-21_A03 access to privileged accounts is authorized in accordance with the principle of least privilege.
IAC-21_A04 systems or system components that implement the security design principle of least privilege are defined.
IAC-21_A05 approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.
IAC-21_A06 system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks.
IAC-21.1_A01 security functions are identified.
IAC-21.1_A02 access to security functions is authorized in accordance with the principle of least privilege.

Evidence Requirements

E-IAM-02 Defined Roles & Authorizations (RBAC): Documented evidence of defined access control-specific roles (e.g., Role Based Access Control (RBAC)) that affect both logical and physical access authorizations.
Identity & Access Management
E-IAM-05 Identity & Access Management (IAM) Function: Documented evidence of an Identity & Access Management (IAM), or similar function, that facilitates the implementation of identification and access management controls.
Identity & Access Management
E-IAM-06 Authenticate, Authorize and Audit (AAA) Solution: Documented evidence of an Authenticate, Authorize and Audit (AAA) solution (on-premises and hosted by External Service Providers (ESP)).
Identity & Access Management

Technology Recommendations

Micro/Small

Role Based Access Control (RBAC)

Small

Role Based Access Control (RBAC)

Medium

Role Based Access Control (RBAC)

Large

Role Based Access Control (RBAC)

Enterprise

Role Based Access Control (RBAC)