3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Actionable Items: Any activity whether or not it is over the network, internet, or locally involving CUI should be done with a different user account than activities not involving CUI. This may be as simple as having different employees that can access different areas. Or if one employee does different jobs, one involving CUI and the other does not, having different login credentials for each job function. It is important that CUI information stay separated from regular business operations.

Monitoring: Monitoring of user activity should be done for all activities involving CUI. Software is available that can do this.