AC.L2-3.1.1 – Limit System Access to Authorized Users
Control Intent
Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices.
Control Response
The organization limits system access to authorized users, processes, and devices within the CMMC enclave. Access is centrally managed through an identity provider and granted only after documented approval by management.
Each user is assigned a unique user account. Shared, group, or generic user accounts are not permitted. User accounts are associated with defined roles that align with job responsibilities and contract requirements involving Controlled Unclassified Information (CUI).
User authentication is enforced through the organization’s identity platform. In environments using Microsoft Entra ID, all users accessing the enclave are provisioned as named user accounts within the Entra ID tenant and are required to authenticate using organization-defined authentication policies. In environments using Google Workspace or Google Cloud Identity, users are provisioned within the organization’s managed domain and authenticated through Google’s centralized identity services.
Access to the enclave is restricted to authorized and managed devices. Devices permitted to access CUI are enrolled in the organization’s device management solution and tracked in an asset inventory. Devices that are not managed or approved are not authorized to access the enclave.
User access is reviewed periodically and upon role change or termination to ensure continued authorization. Accounts that are no longer required are disabled or removed in a timely manner.
Objective Responses
AC.1.001 – Authorized users are identified
Authorized users are identified through the organization’s centralized identity provider. Each user is issued a unique account that is approved prior to provisioning and associated with a defined role.
AC.1.002 – Authorized devices are identified
Authorized devices are identified through device enrollment and asset tracking. Only organization-managed devices are permitted to access the CMMC enclave.
AC.1.003 – System access is limited to authorized users
System access is limited through identity-based access controls that prevent unauthorized users or devices from accessing CUI systems.
Evidence References
Evidence supporting this control includes identity provider user listings, device inventories, access authorization records, and authentication logs generated by the organization’s identity and device management platforms.
Continuous Monitoring
User and device access authorizations are reviewed at least quarterly and upon significant personnel or system changes. Reviews are documented and tracked through the organization’s compliance or task management process.
Common Findings
- Shared or generic user accounts
- Unmanaged devices accessing CUI systems
- User accounts not removed promptly after role change or termination