NIST 800-171 R-3.1.6
Use Non-Privileged Accounts for Nonsecurity Functions
Official citation: 3.1.6
Class: core · Severity: high
Statement of the obligation — verify against source
3.1.6
What it means
Administrators should use a normal, non-privileged account for everyday work like email and browsing, and switch to a privileged account only for privileged tasks. This limits how often privileged credentials are exposed. Role-based access can satisfy this where changing roles provides the same assurance as switching between a privileged and non-privileged account.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.