How to Comply with CMMC AC.2.008 Using Non-Privileged Accounts for Non-Security Functions

Imagine your employee with administrative privileges clicks on a phishing email, or a spam ad pops up and is accidentally clicked on – your entire organization’s confidential information, data, and passwords are now compromised. 

Fortunately, you caught it quickly in the first ten minutes and think you’re safe. 

Well, you’re not. 

Ransomware takes 3 seconds from the moment a hacker gets access to your account to move through the entire organization. 

With CMMC AC.2.008, this situation is avoidable by using non-privileged accounts or roles when accessing non-security functions. 

What is CMMC AC.2.008?

Before diving in, to first get a solid foundation of knowledge, check out our blog: Understanding the CMMC 2.0 Framework. 

CMMC AC.2.008 requires the use of non-privileged accounts or roles when accessing non-security functions. In non-technical jargon, accounts with admin privileges are to only be used for high-level administrative functions. To break it down even further, don’t use the admin accounts for everyday use in the office. 

[How To] Implement CMMC AC.2.008

Now, let’s get into the details of how to implement CMMC AC.2.008. These next steps will differ depending on if you’re set up on a domain or local setup.

Windows Server (Domain)

Before you waste your time going to each computer and setting these policies in place, log in to the server with the domain controller and follow these steps on how to set admin privileges on a Windows Server:

1. Click the Start button and open Active Directory Users and Computers > Users > Create New User 
2. Enter the user’s credentials and click Next
3. Assign the user a password and click Next > Finish
4. Double-click on the newly created user, select Member Of, and a list should appear
5. This step can go two ways:
   1. If you’re adding admin privileges to the user, click Add, type ‘administrators’ into the box that pops up, then click ‘OK.’ This should auto-close and admin privileges should be applied.
   2. If you’re removing admin privileges, click the group you want to remove them from, then click Remove.
      
      

Windows Computer (Local Account)

Unfortunately, there’s no way to create accounts in bulk for multiple users at a time. When working with local environments, you’ll need to apply the following settings to each individual computer to set or remove admin privileges. 

1. Click the Start button and open the Control Panel.
2. Select User Accounts > User Accounts > Manage Another Account
3. Click Add a New User in PC Settings > Add Account > I don’t have this person’s sign-in information > Add a user without a Microsoft account 
4. Enter the user’s name and assign them a password, then answer the security questions
5. Select the newly created user then Change Account Type 
6. This step can go one of two ways: 
   1. If you’re setting up for a standard user, select Standard User
   2. If you’re setting up for admin privileges, select Administrator
7. Repeat these steps to create admin and standard accounts for each user.
   
   

Outsourcing vs. DIY’ing Your IT

If you’re looking to implement all the CMMC policies yourself, it’s not going to be an easy feat. However, we understand outsourced IT isn’t possible for all businesses. To help you out, use these tips and tricks when implementing CMMC AC.2.008.

• If you have employees that use their accounts for daily office use and have admin privileges, don’t worry. This is a common scenario. To ensure compliance with CMMC AC.2.008, we recommend creating two separate accounts with different privileges for these users. 
• If your user accounts are already created and you need to reassign privileges, it’s simple. Copy the previous user account, change the privileges to either admin or a standard user and you’re done. (This is more of a sidenote than a tip or trick…but it fits).
• If someone has two accounts with separate privileges, clearly designate the admin account in the name (i.e., admin-omnis and standard-omnis). 

Why Implementing CMMC Compliance Policies is Necessary

Frankly, it’s required. If you’re a company that has Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Department of Defense has developed these requirements that need to be followed. 

Aside from literally being required, CMMC compliance is designed for your business’s safety. Although tedious, these standards are set in place to avoid data leaks and compromised security. 

Start Complying with CMMC

CMMC compliance is still developing from the Department of Defense, so there’s a chance you haven’t implemented these policies yet. Reach out to our team at Omnis Technologies to start moving towards a compliant, safe network.