Least Privilege | AC-6

Description

The principle of least privilege is employed for MCC information systems. Users (or processes acting on behalf of users) must only have the access necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

• Accounts must be created with a baseline appropriate for the category of (For example, MCC Users receive a minimum level of access to information resources approved for all employees).
• Information Resource Custodians are responsible for ensuring that access is given to the minimum degree necessary for users to accomplish assigned tasks.
• Administrator and special access accounts are only authorized to perform limited privileged access tasks, such as system maintenance and administration.
• Sensitive tasks such as account management must be restricted to members of specific privileged security groups created for that purpose.
• Information Resource Owners or their designees are responsible for ensuring that users with administrative accounts are aware of the extraordinary responsibilities associated with the use of privileged accounts.
• Privileges should be escalated only when necessary to accomplish assigned tasks.

Last updated: 5/8/2026