CMMC Level 2 Practice 3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions

10 min readLast verified: February 2026By

To meet the cmmc level 2 practice 3.1.6: use non-privileged accounts or roles when accessing nonsecurity functions requirement, you must ensure users perform routine, non-security work (email, browsing, document editing, normal app use) from standard accounts, and only elevate to admin roles for approved admin tasks. Operationalize it by separating privileged and non-privileged identities, limiting elevation paths, and retaining proof through access reviews, role mappings, and logs. 1

Key takeaways:

  • Separate “day-to-day” user accounts from admin accounts; admin access is task-based, not all-day.
  • Enforce elevation controls (separate accounts, just-in-time elevation, or role-based access) and monitor exceptions.
  • Keep evidence that proves the control operates: role definitions, group membership, approvals, and audit logs.

CMMC Level 2 Practice 3.1.6 is a least-privilege requirement with a simple operational test: if a user is doing normal work, they should not be doing it while logged in as an administrator. Assessors will look for separation between privileged and non-privileged access, and they will probe the common failure mode: “everyone in IT uses admin all the time because it’s easier.”

This practice is mapped to NIST SP 800-171 Rev. 2 control 3.1.6. Your job as a CCO, compliance officer, or GRC lead is to translate that single sentence into a repeatable control that technology teams can run without debate. That means defining what “nonsecurity functions” are in your environment, identifying where privileged access currently bleeds into daily activity, and implementing a clean elevation model that your staff will actually follow.

The payoff is practical risk reduction: fewer successful phishing-to-admin paths, fewer accidental configuration changes, and cleaner audit trails when something goes wrong. It also reduces CMMC assessment friction because you can show clear policy intent plus system-level enforcement and operational evidence. 1

Regulatory text

Excerpt (as provided): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.1.6 (Use non-privileged accounts or roles when accessing nonsecurity functions).” 1

Operator meaning:

  • Users must default to non-privileged accounts for routine tasks (typical business apps, normal workstation use, standard access to systems).
  • Privileged accounts/roles must be reserved for security-relevant or administrative functions (system configuration, identity management, patching, security tool administration), and used only when needed.
  • You must be able to demonstrate the separation in identity design, technical enforcement, and day-to-day behavior under assessment. 1

Primary sources for program context: CMMC is implemented through the DoD program and codified in 32 CFR Part 170. 2 3

Plain-English interpretation (what the requirement really demands)

Treat administrator access as hazardous material: contained, labeled, and handled only for a specific purpose. The practice does not require you to eliminate privileged accounts. It requires you to stop using privileged access for normal work.

In practice, assessors typically expect to see:

  • A standard user identity for email, Teams/Slack, browsing, documents, and normal line-of-business apps.
  • A separate admin identity or role for admin consoles and privileged actions.
  • A defined method to approve, grant, monitor, and revoke privileged access.
  • Clear handling of exceptions (break-glass, emergency admin). 1

Who it applies to (entity and operational context)

Applies to: organizations seeking CMMC Level 2 that handle Controlled Unclassified Information (CUI) in scope for assessment, including defense contractors and other federal contractors handling CUI. 3 2

Applies across:

  • Corporate IT and enclaves that store/process/transmit CUI
  • Administrators of identity systems (e.g., directory services), endpoints, servers, network devices, cloud tenants, and key business platforms that touch CUI
  • Third-party managed service providers (MSPs) administering your environment, to the extent they access in-scope systems (your contracts and access design must support the practice) 1

What you actually need to do (step-by-step)

Use this as a control runbook.

Step 1: Define “nonsecurity functions” for your environment

Create a short list that teams can follow without interpretation. Common nonsecurity functions:

  • Email, chat, calendar, browsing
  • Document editing and collaboration
  • Ticketing as a requester (not admin)
  • Normal application use (ERP, PLM, CRM) where admin rights are not required

Then define “security/admin functions”:

  • Managing identities, groups, authentication settings
  • Configuring endpoints/servers/network devices
  • Changing security tooling, policies, logging, EDR settings
  • Creating/modifying privileged roles and permissions 1

Artifact to produce: a one-page “Privileged vs. Non-Privileged Activity Matrix” approved by IT/security leadership.

Step 2: Inventory privileged access paths

You cannot control what you have not mapped. Identify:

  • Who has local admin on endpoints
  • Who is in privileged directory groups / cloud tenant admin roles
  • Service accounts with elevated permissions
  • Shared admin accounts (flag these aggressively)
  • Third-party accounts with elevated access (MSP, SaaS support) 1

Artifact to produce: privileged access inventory export(s) plus a register of privileged roles/groups.

Step 3: Implement separation of accounts or roles

Choose a pattern (you can mix patterns, but document which systems use which):

Pattern A: Separate admin accounts (most common)

  • Example: j.smith (standard) and adm-j.smith (admin)
  • Standard account has email and daily tools
  • Admin account cannot access email/internet except what’s required for admin tasks

Pattern B: Role-based elevation

  • Standard account exists, with privileged roles assigned only through controlled elevation (approval + time bounds)

Pattern C: Privileged Access Management (PAM)

  • Centralized check-out / just-in-time elevation with session recording for sensitive systems

Minimum expectation: privileged access must be deliberate and bounded. 1

Artifacts to produce: role design documents, naming standards, and configuration screenshots/exports showing separation.

Step 4: Enforce it technically (not just policy)

Policy-only controls fail under assessment. Add enforcement where possible:

  • Remove local admin from standard users; use controlled elevation for installs
  • Restrict admin accounts from logging into workstations for daily activity
  • Conditional access rules for admin roles (stricter MFA, device compliance, limited locations)
  • Block privileged accounts from email and web browsing if feasible for your operations
  • Monitor and alert on privileged group membership changes 1

Artifacts to produce: configuration evidence (screenshots/exports), baseline standards, and monitoring rule documentation.

Step 5: Build an exceptions process you can defend

You will have exceptions: legacy apps, engineering tools, lab systems, OT-like environments.

Your exception process needs:

  • Business justification and scope (system, users, duration)
  • Compensating controls (application allowlisting, additional monitoring, segmented network)
  • Expiration and re-approval
  • CCO/GRC visibility and ownership 1

Artifacts to produce: exception tickets/approvals and a current exception register.

Step 6: Prove ongoing operation (control health checks)

Assessors look for sustained behavior, not a one-time cleanup:

  • Recurring review of privileged group membership
  • Spot checks of workstation local admin
  • Review of privileged login events and admin tool access logs
  • Remediation tracking to closure 1

A practical operational add-on: create a “requirement control card” with owner, cadence, evidence list, and escalation path. Daydream can store the control card and evidence bundle so you do not rebuild it for every assessment cycle. 3

Required evidence and artifacts to retain (minimum evidence bundle)

Keep evidence that maps to: design, enforcement, operation.

Design / intent

  • Access control policy section covering least privilege and non-privileged daily use
  • Privileged vs. non-privileged activity matrix
  • Role/entitlement definitions for privileged roles 1

Implementation / configuration

  • Directory/cloud role assignments export (privileged groups and members)
  • Endpoint management baseline showing local admin restrictions
  • Conditional access / MFA enforcement for admin roles
  • PAM configuration (if used) 1

Operational proof

  • Privileged access request/approval records
  • Privileged group membership review results and sign-off
  • Logs showing privileged logons and administrative actions (sampled)
  • Exception register with approvals and compensating controls
  • Remediation tickets and closure evidence 1

Retention tip: store evidence in an assessment-ready folder structure by system and by month/quarter. Daydream-style evidence bundling prevents the “we can’t find the screenshot from last spring” problem.

Common exam/audit questions and hangups

Expect these lines of questioning:

  1. “Show me how an admin does normal work.” They want to see that email/browsing is under a standard account, not the admin identity.
  2. “How do you install software or run elevated tasks?” Walk through the elevation flow (separate admin login, PAM checkout, or approval-based role elevation).
  3. “Who can grant privileged access?” Name the owners and show approvals.
  4. “How do you know privileges are removed?” Show review cadence and termination/change-of-role workflows.
  5. “What about third parties?” Show contracts/access methods, MFA, and the same separation for MSP admin identities. 1

Frequent implementation mistakes (and how to avoid them)

Mistake 1: “IT staff are always admins.”
Fix: require separate accounts and block admin accounts from daily apps.

Mistake 2: Shared admin accounts for convenience.
Fix: eliminate shared accounts; if a break-glass account exists, lock it down and monitor it with documented emergency use approvals.

Mistake 3: Local admin sprawl on endpoints.
Fix: remove local admin by default, then handle legitimate needs with controlled elevation and documented exceptions.

Mistake 4: No operational evidence.
Fix: define the minimum evidence bundle and run recurring control health checks with sign-off. 3

Mistake 5: “We have a policy” with no enforcement.
Fix: add technical controls and log review that demonstrate behavior matches policy. 1

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific practice, so this page does not list cases.

Risk-wise, failing 3.1.6 increases the chance that a routine compromise (phishing, browser exploit, malicious document) becomes an administrative compromise because the user is already operating with elevated rights. In a CMMC assessment, the practical implication is straightforward: if assessors observe privileged accounts used for routine activity, you will struggle to demonstrate conformance to the practice as written. 1

Practical 30/60/90-day execution plan

Because the source pack does not support time-to-implement claims, treat this as a sequencing plan you can compress or extend based on your environment.

First 30 days (stabilize and scope)

  • Assign an owner for the practice and publish a short control card (objective, scope, systems, evidence, exceptions).
  • Define your privileged vs. non-privileged activity matrix.
  • Export current privileged roles/groups and identify high-risk populations (IT admins, engineers, MSP accounts).
  • Freeze new privileged grants unless routed through an approval workflow. 1

Days 31–60 (implement separation + enforcement)

  • Create separate admin accounts or role-elevation workflows for privileged users.
  • Remove local admin for standard users in the CUI scope; implement elevation for installs.
  • Apply stricter access conditions for admin roles (MFA requirements, device restrictions) where supported.
  • Stand up an exception register with required fields and approval rules. 1

Days 61–90 (prove operation and readiness)

  • Run your first recurring privileged access review and document results and remediation.
  • Sample privileged logons and confirm admin identities are not used for email/browsing.
  • Close or time-bound exceptions; add compensating controls where exceptions remain.
  • Assemble an assessor-ready evidence bundle by system. Daydream can act as the system of record for the control card, evidence checklist, and remediation tracker. 3

Frequently Asked Questions

Do I need separate admin accounts for every administrator?

Separate admin accounts are the simplest way to prove compliance because they create a clear boundary between daily work and privileged actions. If you use role-based or just-in-time elevation, document the workflow and keep logs that show elevation is deliberate and time-bounded. 1

What counts as “nonsecurity functions” for 3.1.6?

Treat routine productivity and normal application use as nonsecurity functions, unless the action changes system security settings or access. Write a short matrix listing examples in your environment so teams and assessors do not debate it. 1

Can admins browse the web from their admin account to download patches or drivers?

Avoid general browsing from admin identities. If downloads are required, restrict destinations, document the need, and prefer controlled repositories or a separate workflow where a standard account retrieves files and admin accounts only perform the install. 1

How do we handle engineers who “need admin” on specialized tools?

Start with an exception that is scoped and time-bound, then add compensating controls such as application allowlisting, tighter monitoring, and segmentation for the affected systems. Track exceptions in a register with approvals and expiration dates. 1

Does this apply to third-party administrators like an MSP?

Yes for any third party with administrative access to in-scope systems. Require named accounts, MFA, and the same separation of non-privileged and privileged access, and retain evidence of access grants and reviews. 1

What evidence do assessors typically ask for first?

They usually start with privileged role/group membership lists, proof of separation (two-account model or elevation workflow), and samples of logs showing privileged access events. Have your policy excerpt, activity matrix, and the latest access review packet ready. 1

Footnotes

  1. NIST SP 800-171 Rev. 2

  2. DoD CMMC Program Guidance

  3. 32 CFR Part 170

Frequently Asked Questions

Do I need separate admin accounts for every administrator?

Separate admin accounts are the simplest way to prove compliance because they create a clear boundary between daily work and privileged actions. If you use role-based or just-in-time elevation, document the workflow and keep logs that show elevation is deliberate and time-bounded. (Source: NIST SP 800-171 Rev. 2)

What counts as “nonsecurity functions” for 3.1.6?

Treat routine productivity and normal application use as nonsecurity functions, unless the action changes system security settings or access. Write a short matrix listing examples in your environment so teams and assessors do not debate it. (Source: NIST SP 800-171 Rev. 2)

Can admins browse the web from their admin account to download patches or drivers?

Avoid general browsing from admin identities. If downloads are required, restrict destinations, document the need, and prefer controlled repositories or a separate workflow where a standard account retrieves files and admin accounts only perform the install. (Source: NIST SP 800-171 Rev. 2)

How do we handle engineers who “need admin” on specialized tools?

Start with an exception that is scoped and time-bound, then add compensating controls such as application allowlisting, tighter monitoring, and segmentation for the affected systems. Track exceptions in a register with approvals and expiration dates. (Source: NIST SP 800-171 Rev. 2)

Does this apply to third-party administrators like an MSP?

Yes for any third party with administrative access to in-scope systems. Require named accounts, MFA, and the same separation of non-privileged and privileged access, and retain evidence of access grants and reviews. (Source: NIST SP 800-171 Rev. 2)

What evidence do assessors typically ask for first?

They usually start with privileged role/group membership lists, proof of separation (two-account model or elevation workflow), and samples of logs showing privileged access events. Have your policy excerpt, activity matrix, and the latest access review packet ready. (Source: NIST SP 800-171 Rev. 2)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream