System and Communications Protection 3.13.3 (3.13.3)

Separate user functionality from system management functionality.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to keep administrative functions separate from regular user activities. Think of it like having a separate entrance and workspace for building maintenance staff versus regular office workers. Administrative tools, privileged accounts, and management interfaces should be isolated from everyday user systems and applications to prevent unauthorized access to critical system controls.

Control Intent

Prevent unauthorized users from accessing or manipulating system management functions by maintaining clear separation between administrative capabilities and standard user operations, thereby reducing the attack surface and limiting the impact of compromised user accounts.

Who This Control Applies To

  • Organizations with privileged administrative accounts
  • Systems with administrative interfaces or management consoles
  • Network infrastructure with management planes
  • Database systems with administrative functions
  • Web applications with administrative backends
  • Virtualized environments with hypervisor management
  • Cloud services with administrative portals
  • Any system where administrative functions exist alongside user functions

Not Applicable When

  • Single-user systems with no network connectivity and no CUI (extremely rare)
  • Systems where all users are administrators with equivalent privileges (not recommended and rarely acceptable)
  • Embedded systems with no administrative interface or management functionality
  • Read-only systems with no administrative capabilities

Key Objectives

  • 1Isolate system management functionality from user-accessible functions to prevent unauthorized administrative access
  • 2Reduce the risk that compromised user accounts can be leveraged to gain administrative privileges
  • 3Limit the attack surface by segregating administrative interfaces from user-facing systems
  • 4Ensure administrative functions require separate authentication and access controls from standard user operations

Sample Self-Assessment Questions (Partial)

Do you have administrative accounts or privileged users who manage your systems?

Are administrative functions accessed through the same login portal as regular users?

Implementation Approaches (High-Level)

Network Segmentation with Administrative VLAN

Separate administrative interfaces onto dedicated VLANs or network segments with firewall rules restricting access to authorized administrative workstations only

Dedicated Administrative Workstations or Jump Boxes

Require all administrative tasks to be performed from hardened, dedicated workstations or jump servers that are physically or logically separated from user workstations

Separate Authentication Domains or Identity Providers

Use different authentication systems, domains, or identity providers for administrative access versus user access, requiring separate credentials and authentication flows

Role-Based Access Control with Privileged Access Management

Implement RBAC with strict separation between user roles and administrative roles, enforced through Privileged Access Management (PAM) solutions that control and monitor administrative access

Separate Administrative Interfaces or Portals

Provide distinct administrative interfaces, URLs, or portals that are separate from user-facing applications and require different authentication mechanisms

Virtualization Management Plane Separation

Isolate virtualization management interfaces (hypervisor consoles, orchestration platforms) on separate management networks with dedicated administrative access controls

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If administrative and user functions are not currently separated, prioritize network segmentation as the most impactful first step Implement jump boxes or bastion hosts as an interim control while working toward full network segmentation For cloud services, leverage native administrative access controls and separate administrative accounts immediately Document all administrative access paths and create a remediation plan to isolate each path Consider implementing a PAM solution if managing numerous privileged accounts across multiple systems Ensure any compensating controls (e.g., enhanced monitoring, MFA) are documented and assessed for adequacy Set realistic timelines: network segmentation may require 6-12 months; jump boxes can be implemented in 1-3 months Prioritize separation of the most critical administrative interfaces first (e.g., domain controllers, hypervisors, firewalls)

Related CMMC Controls

3.1.13.1.53.1.63.1.123.3.13.5.73.13.13.13.5

Frequently Asked Questions

Does this control require physically separate computers for administrative tasks?

No, physical separation is one option but not required. Logical separation through network segmentation, separate VLANs, virtualization, separate authentication domains, or dedicated administrative interfaces are all acceptable. The key is that administrative functions must be isolated from user functions in a way that prevents unauthorized access.

Can administrators use their regular user accounts for administrative tasks if they have elevated privileges?

No, this does not satisfy the control. Administrative functions should require separate privileged accounts, separate authentication, or separate access paths from regular user activities. Using the same account for both user and administrative tasks does not provide adequate separation.

If we use a cloud service, how do we implement this control?

For cloud services, ensure administrative portals or consoles require separate authentication from user access, implement conditional access policies requiring additional verification for administrative roles, use separate administrative accounts, and restrict administrative portal access to authorized networks or devices. Many cloud providers offer built-in administrative separation features.

What if our small organization only has one or two administrators?

The control still applies regardless of organization size. Even with few administrators, you must separate administrative functions from user functions through methods like network segmentation, separate administrative accounts, dedicated jump boxes, or separate administrative interfaces. The separation protects against compromised user accounts gaining administrative access.

Does using multi-factor authentication (MFA) for administrative access satisfy this control?

MFA alone does not satisfy this control. While MFA is important and may be required by other controls, this control specifically requires separation of administrative functionality from user functionality through network, logical, or physical isolation. MFA can be a supporting control but does not replace the need for separation.

How is this control verified during a CMMC assessment?

Assessors will review network diagrams, firewall rules, authentication configurations, and administrative access procedures. They will attempt to trace how administrative functions are accessed and verify that user accounts or user networks cannot reach administrative interfaces. Expect to demonstrate the separation through configuration evidence, access logs, and potentially live demonstrations of administrative access paths.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.