Which of the following is a responsibility of the organization’s security apparatus as outlined in CMMC?

The responsibility of identifying privileged functions and users is crucial within the Cybersecurity Maturity Model Certification (CMMC) framework. This process involves recognizing which users or accounts possess elevated access rights or permissions and determining the specific functions and resources they can access. By ensuring that there is a clear identification of privileged users and functions, an organization can implement appropriate security measures and controls.

This responsibility is key to maintaining the principle of least privilege, which minimizes the risk of unauthorized access or misuse of sensitive information and systems. If an organization cannot identify who has privileged access, it becomes challenging to enforce security policies effectively, manage access controls, and monitor for suspicious activity related to those accounts. This identification also lays the groundwork for implementing other controls, such as regular audits and reviews of access permissions.

In contrast, the other choices do not align with the responsibilities outlined in CMMC. Preventing users from accessing non-privileged functions could lead to obstructing legitimate activities necessary for job performance. Allowing all users equal access undermines the security posture by eliminating necessary access controls and could expose sensitive data to all personnel. Similarly, failing to enforce session logging for privileged accounts would compromise accountability and visibility over privileged actions, which is counterintuitive to good security practices.