Non-privileged Account Use
Use non-privileged accounts or roles when accessing nonsecurity functions.
What an assessor scores, the objectives
AC.L2-3.1.6 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.nonsecurity functions are identified
- b.users are required to use non-privileged accounts or roles when accessing nonsecurity functions
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.6, an assessor uses these:
Access control policy; procedures addressing least privilege; system security plan; list of system -generated security functions assigned to system accounts or roles; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records
Personnel with responsibilities for defining least privileges necessary to accomplish specified organizational tasks; personnel with information security responsibilities; system or network administrators
Mechanisms implementing least privilege functions
What it means, in context
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role -based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non- privileged account.
A user with a privileged account can perform more tasks and access more information than a person with a non- privileged account. Tasks (including unauthorized tasks orchestrated by attackers) performed when using the privileged account can have a greater impact on the system. System administrators and users with privileged accounts must be trained not to use their privileged accounts for everyday tasks, such as browsing the internet or connecting unnecessarily to other systems or services. Example You are logged in using your privileged account and you need to look up how to reset a non- functioning application which processes CUI . You should log on to another computer with your non-privileged account before you connect to the web and start searching for the reset information [b]. That way, if your account is compromised during the search, it will be your regular user account rather than an account with elevated privileges. Potential Assessment Considerations • Are nonsecurity functions and non-privileged roles defined [a,b]? • Is it required that nonsecurity functions only be accessed with the use of non- privileged accounts? How is this verified [b]?
What passing evidence looks like
Proof that admins have two accounts and use the standard one for email and daily work: the user list showing paired accounts, and a line in the account policy requiring it.
Common ways contractors fail AC.L2-3.1.6
- !One mailbox on the admin account is the tell. If the Global Admin account has a license and a mailbox that receives daily email, the control is not real.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AC.L2-3.1.6, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AC.L2-3.1.6 questions, answered
How many points is CMMC requirement AC.L2-3.1.6 worth?+
AC.L2-3.1.6 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can AC.L2-3.1.6 be placed on a POA&M?+
Yes. A gap on AC.L2-3.1.6 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does AC.L2-3.1.6 belong to?+
AC.L2-3.1.6 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.1.6