CMMC Readiness β Access Control Pack Exemplar
Stella Maris Governance LLC Redacted structural exemplar β not a complete client deliverable
Control Objective
Establish and enforce access control policies that limit information system access to authorized users, processes, and devices in accordance with NIST SP 800-171 requirements. This pack governs how organizations define, implement, and validate access boundaries for systems processing, storing, or transmitting Controlled Unclassified Information (CUI).
Control Structure
| Control ID | Objective | Evidence Required | Framework Mapping |
|---|---|---|---|
| AC-01 | Limit system access to authorized users performing authorized transactions and functions | Access control policy document, user access authorization records, system access approval workflow documentation | NIST 800-171 3.1.1 / CMMC AC.L2-3.1.1 |
| AC-02 | Limit system access to the types of transactions and functions that authorized users are permitted to execute | Role-based access matrix, least privilege implementation records, access rights review documentation | NIST 800-171 3.1.2 / CMMC AC.L2-3.1.2 |
| AC-03 | Control the flow of CUI in accordance with approved authorizations | Data flow diagrams, CUI boundary documentation, information flow enforcement mechanism records | NIST 800-171 3.1.3 / CMMC AC.L2-3.1.3 |
| AC-04 | Separate duties of individuals to reduce risk of malevolent activity without collusion | Separation of duties matrix, role conflict analysis, compensating control documentation | NIST 800-171 3.1.4 / CMMC AC.L2-3.1.4 |
| AC-05 | Employ the principle of least privilege, including for specific security functions and privileged accounts | Privileged account inventory, least privilege justification records, periodic access review logs | NIST 800-171 3.1.5 / CMMC AC.L2-3.1.5 |
This exemplar displays a representative subset of controls from a structured 10-control pack maintained within the firm's private governance system. Full pack available through advisory engagement.
Evidence Traceability
| Control | Evidence Artifact | Storage Location | Review Cadence |
|---|---|---|---|
| AC-01 | Access Control Policy (ACP-001) | Controlled Governance Repository | Annual review, event-driven update |
| AC-02 | Role-Based Access Matrix (RBAM-001) | Controlled Governance Repository | Quarterly validation |
| AC-03 | CUI Data Flow Diagram (DFD-001) | Controlled Governance Repository | Semi-annual review |
| AC-04 | Separation of Duties Matrix (SDM-001) | Controlled Governance Repository | Annual review |
| AC-05 | Privileged Account Inventory (PAI-001) | Controlled Governance Repository | Quarterly validation |
Implementation Guidance
Access control implementation begins with establishing a formal CUI boundary definition and mapping all system components that process, store, or transmit controlled information. Organizations should implement role-based access control aligned to documented job functions, with quarterly access reviews validating continued authorization. Evidence should demonstrate both policy existence and operational enforcement through access logs, review records, and approval workflows.
Assessment Alignment
This pack is structured for third-party assessor review. Control objectives map directly to NIST SP 800-171 Section 3.1 requirements and CMMC Level 2 Access Control domain practices. Evidence artifacts are version-controlled and traceable within the firm's controlled governance repository. Assessment preparation includes pre-review validation of evidence completeness, artifact currency, and traceability to specific control objectives.
Stella Maris Governance β Pre-Assessment Readiness Validation stellamarisgovernance.com