Privileged Access Management

The C2M2 ACCESS-2.C requirement mandates that "credentials for privileged access to IT and OT assets are managed to reduce the risk of unauthorized use." This applies to energy sector organizations and critical infrastructure operators implementing the Cybersecurity Capability Maturity Model.

Privileged accounts represent your highest risk exposure. A single compromised admin credential can bypass every other security control you've implemented. Yet most organizations discover during audits that they can't even produce a complete inventory of privileged accounts, let alone demonstrate proper lifecycle management.

This guide provides the step-by-step implementation path for C2M2 PAM compliance, including the specific evidence auditors expect, common pitfalls that trigger findings, and a practical rollout timeline that balances security improvements with operational reality.

Regulatory text

The C2M2 v2.1 ACCESS-2.C requirement states: "Credentials for privileged access to IT and OT assets are managed to reduce the risk of unauthorized use."

This means organizations must implement formal controls for any account with elevated permissions - including domain administrators, database admins, service accounts, emergency access accounts, and OT system operators. The requirement covers both human and non-human privileged identities across information technology and operational technology environments.

Who This Applies To

Entity Types:

• Energy sector organizations (utilities, generators, transmission operators)
• Critical infrastructure operators using C2M2 for maturity assessment
• Third-party service providers with privileged access to covered entities

Operational Context:

• IT teams managing domain controllers, servers, databases
• OT teams managing SCADA, DCS, and industrial control systems
• Security teams responsible for access governance
• Compliance teams documenting control effectiveness

Step-by-Step Implementation

Phase 1: Discovery and Inventory (Days 1-30)

1. Identify All Privileged Account Types Create a comprehensive list covering:

• Local administrator accounts on servers/workstations
• Domain admin and enterprise admin accounts
• Service accounts running critical applications
• Database administrator accounts (SA, root, sys)
• Cloud platform administrative roles (AWS IAM, Azure AD)
• OT system operator accounts
• Emergency break-glass accounts
• Vendor/contractor privileged accounts

2. Document Current State Build an inventory spreadsheet with these columns:

• Account name
• System/platform
• Account type (human/service)
• Owner (person accountable)
• Last password change date
• Last access review date
• Business justification

3. Identify Technical Gaps Assess your current tooling:

• Do you have a password vault/PAM solution?
• Is MFA enforced on all privileged accounts?
• Are privileged sessions recorded?
• Do you have automated alerts for privilege escalation?

Phase 2: Policy and Process Design (Days 31-60)

4. Draft PAM Policy Your policy must address:

• Privileged account definition and scope
• Approval workflow for new privileged access
• Password complexity and rotation requirements
• Session monitoring requirements
• Certification/review frequency
• Deprovisioning procedures

5. Design Access Request Workflow Create a documented process for:

• Business justification requirements
• Manager and system owner approval chain
• Maximum access duration (time-boxed privileges)
• Extension request procedures
• Emergency access protocols

6. Establish Monitoring Requirements Define what constitutes suspicious privileged activity:

• After-hours access patterns
• Bulk data exports
• Configuration changes
• New account creation
• Permission modifications

Phase 3: Technical Implementation (Days 61-90)

7. Deploy PAM Technology Stack

Priority order for technical controls:

1. Password Vault: Centralized storage for all privileged credentials
2. Multi-Factor Authentication: Hardware tokens or app-based MFA for all privileged access
3. Session Recording: Full video capture of privileged sessions
4. Just-in-Time Access: Temporary elevation with automatic revocation
5. Behavioral Analytics: ML-based anomaly detection for privileged activities

8. Migrate Credentials

• Start with highest-risk accounts (domain admins)
• Rotate all passwords during migration
• Update service account dependencies
• Test break-glass procedures

9. Enable Monitoring and Alerting Configure real-time alerts for:

• Failed privileged authentication attempts
• Privileged access outside business hours
• Direct database access bypassing applications
• Use of emergency accounts

Required Evidence and Artifacts

Auditors will request these specific items:

Documentation:

• Current PAM policy with executive approval signature
• Privileged account inventory (last a defined days)
• Access approval forms/tickets (sample of 10-20)
• Quarterly access review reports with attestations
• Incident response procedures for compromised privileged accounts

Technical Evidence:

• PAM solution configuration screenshots
• MFA enforcement reports showing a meaningful percentage coverage
• Session recordings (be prepared to demonstrate)
• Sample of automated alerts from last quarter
• Password rotation logs

Process Evidence:

• Completed access request forms showing approval chain
• Deprovisioning tickets for terminated employees
• Exception reports and remediation plans
• Training records for privileged users

Common Audit Questions and Responses

"Show me how you track all privileged accounts." Present your centralized inventory with last update date. Demonstrate the automated discovery process if available. Show reconciliation between AD privileged groups and your inventory.

"How do you ensure terminated employees no longer have privileged access?" Show your HR integration or manual checklist process. Provide examples of deprovisioning tickets. Demonstrate how service accounts are re-owned when employees leave.

"What happens if someone needs emergency privileged access?" Walk through your break-glass procedure. Show the separate approval process, enhanced logging, and mandatory password reset after use. Demonstrate a test from last quarter.

"How do you prevent privilege creep?" Show quarterly certification reports where managers attest to continued need. Highlight any access that was revoked based on reviews. Demonstrate your least-privilege analysis process.

Implementation Mistakes to Avoid

Mistake 1: Incomplete Inventory Many organizations miss service accounts, local admin accounts, or OT credentials. Use automated discovery tools and cross-reference with:

• Scheduled task configurations
• Service control manager
• Database connection strings
• Application configuration files

Mistake 2: Shared Accounts Never allow multiple people to share one privileged account. Each user needs individual accountability. If legacy systems require shared accounts, implement compensating controls:

• Session recording linked to individual check-out
• Automated password rotation after each use
• Enhanced activity monitoring

Mistake 3: Permanent Privileged Access Implement just-in-time (JIT) access for human users. Standing privileges should be the exception, not the rule. Even system administrators should elevate privileges only when needed for specific tasks.

Mistake 4: Weak Emergency Access Controls Break-glass accounts need stronger controls, not weaker ones. Common audit findings:

• Password stored in easily accessed location
• No alerting when break-glass is used
• Password not changed after emergency use
• No documented business justification for access

Mistake 5: Ignoring Service Accounts Service accounts often have more privileges than human accounts but receive less scrutiny. Implement:

• Managed service accounts with automatic password rotation
• Principle of least privilege for each service
• Regular reviews of service account permissions
• Alerts for interactive logins with service accounts

Practical Execution Timeline

Immediate Actions (Week 1)

• Form PAM implementation team with IT, OT, and Security representatives
• Begin privileged account discovery using AD queries and system scans
• Document any known shared administrative credentials
• Identify budget and resources for PAM tooling

Month 1 Deliverables

• Complete initial privileged account inventory
• Risk-rank accounts by access scope and data sensitivity
• Draft PAM policy for stakeholder review
• Evaluate 2-3 PAM solution vendors
• Document current state gaps and remediation timeline

Month 2 Milestones

• Finalize and approve PAM policy
• Select and procure PAM solution
• Design standard operating procedures
• Pilot PAM solution with IT admin accounts
• Create training materials for privileged users

Month 3 and Ongoing

• Complete PAM rollout to all privileged accounts
• Enable session monitoring and alerting
• Conduct first quarterly access review
• Document lessons learned
• Schedule tabletop exercise for incident response
• Plan annual PAM program assessment

Risk and Enforcement Context

While C2M2 is a maturity framework rather than a regulation with defined penalties, failure to implement adequate PAM controls creates multiple risk exposures:

Audit Findings: External assessors consistently cite PAM gaps as high-risk findings that can impact overall C2M2 maturity ratings and potentially affect participation in federal programs.

Incident Amplification: Compromised privileged credentials are involved in the majority of significant breaches. Poor PAM hygiene transforms minor incidents into major events.

Operational Impact: For OT environments, compromised privileged access can lead to physical process manipulation, safety system bypasses, and potential equipment damage or personnel injury.

Third-Party Requirements: Energy sector suppliers and partners increasingly require demonstrated PAM controls as part of vendor security assessments.

Frequently Asked Questions

Do we need to purchase a commercial PAM solution to meet this requirement?

Not necessarily. While commercial PAM tools simplify compliance, you can meet basic requirements using native OS features, strong processes, and disciplined documentation. However, features like session recording and just-in-time access typically require specialized tools.

How do we handle legacy OT systems that don't support modern authentication?

Implement compensating controls such as jump servers with MFA, network segmentation, enhanced logging, and more frequent password rotation. Document these limitations and compensating controls in your risk register.

What's the minimum password rotation frequency for privileged accounts?

C2M2 doesn't specify exact timeframes. Industry practice suggests 60-a defined days for human accounts and 90-a defined days for service accounts, with immediate rotation after any suspected compromise or personnel change.

Should contractor accounts be included in our PAM program?

Yes. Any third-party with privileged access poses equivalent risk to internal users. Contractors need individual named accounts, time-limited access, and the same monitoring as employees.

How do we prove privileged session monitoring without violating privacy regulations?

Focus monitoring on privileged technical activities, not personal data access. Implement clear banners warning of monitoring, limit retention periods, and restrict access to recordings. Consult legal counsel for jurisdiction-specific requirements.

Can we use the same break-glass process for IT and OT environments?

While the overall process can be similar, OT environments often need faster response times and different approval chains. Consider separate procedures with OT-specific safety considerations and notification requirements.