>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-6(8)Least Privilege | Privilege Levels for Code Execution

IL4 High
IL5
IL6

>Control Description

Prevent the following software from executing at higher privilege levels than users executing the software: organization-defined software.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AC-6 (8) [any software except software explicitly documented]

>Discussion

In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-6(8) (Privilege Levels For Code Execution)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-6(8)?
  • How frequently is the AC-6(8) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-6(8)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-6(8) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-6(8)?
  • How is AC-6(8) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-6(8) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-6(8)?
  • What audit logs, records, reports, or monitoring data validate AC-6(8) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-6(8) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-6(8) compliance?

Ask AI

Configure your API key to use AI features.