AC.L2-3.1.2 – Limit System Access to Authorized Transactions and Functions
Control Intent
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Control Response
The organization limits system access so that authorized users are permitted to execute only those transactions and functions necessary to perform their assigned job responsibilities within the CMMC enclave.
Access permissions are assigned based on defined roles. Roles are designed to align with job functions and contract requirements involving Controlled Unclassified Information (CUI). Users are granted access privileges consistent with their assigned role and are not permitted to perform functions outside that role without explicit authorization.
In environments using Microsoft Entra ID, access to systems and applications is restricted through role-based access control and group membership. Administrative privileges are assigned only to users with an operational need for such access. In environments using Google Workspace or Google Cloud Identity, administrative roles and application permissions are assigned based on job function and are limited to the minimum necessary.
Privileged and administrative functions are restricted to authorized accounts and are not available to standard user accounts. Changes to role assignments or access privileges require approval and are documented.
Access privileges are reviewed periodically and upon role change to ensure users retain only the permissions necessary to perform authorized functions.
Objective Responses
AC.2.004 – Access privileges are defined
Access privileges are defined through documented roles that specify permitted system transactions and functions.
AC.2.005 – Access privileges are enforced
Systems enforce access restrictions using role-based access control mechanisms that prevent users from executing unauthorized transactions or functions.
Evidence References
Evidence supporting this control includes role definitions, role assignments, system permission configurations, and access review records generated by identity providers and applications.
Continuous Monitoring
Role assignments and access privileges are reviewed at least quarterly and upon role change. Reviews are documented and tracked through the organization’s compliance or task management process.
Common Findings
- Users assigned excessive permissions
- Administrative access granted without documented justification
- Privileged access not reviewed periodically