United States
Privileged access guidance mapped to US regulatory frameworks — NIST, CISA, CMMC, HIPAA, and SOX.
Regulatory landscape
The United States has a complex regulatory environment with federal frameworks, sector-specific requirements, and state-level regulations that collectively create strong expectations for privileged access management.
Key frameworks
NIST — National Institute of Standards and Technology
NIST provides foundational guidance that underpins most US cybersecurity requirements:
- NIST SP 800-53 — comprehensive security controls including AC (Access Control) family with specific requirements for privileged access, least privilege, and separation of duties
- NIST SP 800-63 — digital identity guidelines covering authentication and assurance levels
- NIST Cybersecurity Framework (CSF) — provides a risk-based approach that includes Identify, Protect, Detect, Respond, Recover — all relevant to privileged access
- NIST SP 800-171 — protecting CUI (Controlled Unclassified Information) with specific access control requirements
CISA — Cybersecurity and Infrastructure Security Agency
CISA provides operational guidance including:
- Known Exploited Vulnerabilities (KEV) catalogue — patching requirements that affect privileged systems
- Secure by Design principles
- Zero Trust Maturity Model — directly relevant to privileged access architecture
CMMC — Cybersecurity Maturity Model Certification
CMMC applies to defence industrial base contractors and requires:
- Access control measures aligned with NIST SP 800-171
- Specific practices for privileged access management at each maturity level
- Third-party assessment and certification
HIPAA
Healthcare organisations must comply with HIPAA Security Rule requirements including:
- Access management for ePHI
- Audit controls and monitoring
- Authentication requirements
SOX — Sarbanes-Oxley
Publicly traded companies must demonstrate adequate internal controls, including:
- Access controls over financial systems
- Segregation of duties for privileged access
- Audit trails for administrative actions
Framework mapping
| Framework Pillar | US Regulatory Alignment |
|---|---|
| Foundation | NIST 800-53 AC family, CMMC practices |
| Control | NIST 800-53 AC-6 (least privilege), CISA Zero Trust |
| Isolation | NIST 800-53 SC family, CISA architecture guidance |
| Operations | NIST CSF Respond/Recover, CISA operational guidance |
| Validation | SOX audit requirements, HIPAA audit controls, CMMC assessment |
Practical notes
US organisations face multiple overlapping requirements. The Privileged Path Framework provides a coherent approach that satisfies controls across NIST, CMMC, HIPAA, and SOX simultaneously — reducing duplication of effort.
CISA’s Zero Trust Maturity Model explicitly addresses privileged access management. Organisations should align their privileged access strategy with this model, particularly the Identity and Device pillars.