3.1.6 — Use non-privileged accounts for routine work | NIST 800-171 Control

Admins should do everyday tasks from a normal account, not their admin account.

What it actually means

People with admin rights should use a separate non-privileged account for routine work — email, web, documents — and only switch to the privileged account for actual admin tasks. This limits the damage if their everyday session is compromised.

Pass or fail — an assessor needs a "yes" to each

Do privileged users have separate non-privileged accounts for routine work?
Is admin access used only for admin tasks?

What to have ready

Account configuration showing separate admin vs. daily accounts
Policy requiring non-privileged accounts for routine use

Where teams trip up

Admins browsing the web and reading email as a domain admin
A single account with standing admin rights used for daily work

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.1.5 — Least privilege 3.1.7 — Restricting privileged functions 3.13.3 — Separating user and admin functions

← Back to the Control Library