NIST 800-171 R-3.1.5
Employ the Principle of Least Privilege
Official citation: 3.1.5
Class: core · Severity: critical
Statement of the obligation — verify against source
3.1.5
What it means
Give every account and process the minimum access needed to do its job and no more — especially privileged/administrator accounts and security functions such as setting up accounts, configuring logging, tuning intrusion detection, and granting permissions. Restrict privileged accounts to specific people or roles so day-to-day users can't reach privileged functions, and apply least privilege to development and operations as well.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.