Evidence – AC.L2-3.1.1
Limit System Access to Authorized Users
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.1, which requires system access to be limited to authorized users, processes, and authorized devices.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Only approved users have access to the CMMC enclave
- Users are uniquely identified
- Only authorized and managed devices are permitted
- Access is reviewed and maintained over time
Evidence Artifacts
1. Authorized User Accounts
Evidence demonstrating authorized users may include:
- Export or screenshot of identity provider user list
- User access approval records
- Account status showing enabled/disabled users
Examples of acceptable sources: - Microsoft Entra ID user directory - Google Workspace or Cloud Identity user directory - Other centralized identity provider user listings
2. Authentication Enforcement
Evidence demonstrating authentication controls may include:
- Authentication policy configuration
- Multi-factor authentication enforcement settings
- Authentication or sign-in logs
Examples of acceptable sources: - Entra ID authentication or sign-in logs - Google Workspace login audit logs - Identity provider security reports
3. Authorized Devices
Evidence demonstrating authorized devices may include:
- Device inventory or enrollment records
- Endpoint management console listings
- Asset inventory records
Examples of acceptable sources: - Microsoft Intune device inventory - Google Endpoint Management device list - Other managed device inventory systems
4. Access Review and Removal
Evidence demonstrating ongoing authorization may include:
- Periodic access review records
- User termination or role-change records
- Account disablement or removal logs
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
This document identifies example evidence artifacts only. Organizations may use different tools or platforms provided the same objectives are met and evidence is available.