AC β Access Control Domain Notes
CMMC Domain: AC (Access Control)
NIST 800-171 Family: 3.1.x
Controls: AC.L1-3.1.1 through AC.L2-3.1.22 (22 total for L2)
AC.L2-3.1.11 β SESSION TERMINATION
Control: Terminate (automatically) user sessions after a defined condition.
Community Interpretation Debate
- Conflicting info circulates: applies to RDP/VPN remote only, or ALL sessions including local?
- Answer (community consensus): ALL sessions β local, remote, RDP β but YOU define the condition and timeout
- The control says "conditions requiring session termination are defined" β YOU choose the condition
- Inactivity timeout is logical but not mandatory; other conditions (misbehavior, maintenance) also valid
Practical Solutions
- Entra Conditional Access Policy: Set session sign-in frequency (e.g., 72 hours works; M365 UI caps display at 23 hours but you can set it to 72h). One org used this and "met the objective."
- Screen lock counts: Locking the workstation satisfies the control in many assessors' views (engineers running long simulations don't need to log out β locking is sufficient)
- Long-running simulations: Can reclassify asset as "Specialized Asset" if simulations genuinely can't be interrupted (Rev 3 ODPs)
- Also address SC.L2-3.13.9 at the same time β network connection termination; can be handled in the same Conditional Access policy
Evidence Tips
- Screenshot of Conditional Access policy configuration
- Document the defined inactivity period in your SSP
Source: https://old.reddit.com/r/CMMC/comments/1rkubyj/ (2026-03-04)
AC.L2-3.1.20 β EXTERNAL CONNECTIONS
Control: Verify and control/limit connections to external systems.
- Caused active debate internally at at least one org during readiness
- Source: mentioned in https://old.reddit.com/r/CMMC/comments/1qd79o6/ (2026-01-14)
General AC Domain Notes
Scoping is the Foundation
- Define CUI flow BEFORE mapping any AC controls
- "YOU MUST KNOW WHERE THE CUI COMES FROM, GOES TO, AND WHERE IT'S PROCESSED BY YOUR BUSINESS"
- Scoping is the #1 reason orgs fail to get assessed at all
- Source: lotsofxeons megathread + Navyauditor2 (2025-2026)
Evidence Pre-Submission Strategy
- One org pre-submitted 80 evidence artifacts; AC domain session went from 2 hours planned β 45 minutes actual
- Source: mcb1971 in megathread https://old.reddit.com/r/CMMC/comments/1owyb9a/ (2026-01)
Privileged Accounts (Linux)
- Linux environments: How to define and manage privileged accounts?
- Role-based access control for sudo access is common approach
- Developers needing constant local admin: tension with least privilege; define approved elevated use
- Source: https://old.reddit.com/r/CMMC/comments/1ova7nt/ (2026-01, question raised in comments)
MFA / M365 GCC High
- MFA via Microsoft Authenticator (built into M365 stack) satisfies many AC + IA controls
- Entra ID Conditional Access is the primary mechanism for enforcement
Related Posts
- Session Termination thread β 2026-03-04
- MFA Confusion β 2026-03-05
- Controlling the flow of CUI β 2026-02-05