CMMC Access Control: A Deep Dive
EXECUTIVE BRIEF
Access Control (AC) is one of the 14 security domains that defense contractors must implement to achieve CMMC Level 2 Certification. This domain has 22 associated security controls that will be tested during their assessment. Here is what defense contractors need to know:
- Access Control refers to policies, procedures, and mechanisms limiting access to systems, networks, and data
- Key requirements include: implementing the principle of least privilege, data encryption, and monitoring audit logs
Dig deeper and continue learning below!
Among the 14 key control families identified in NIST SP 800-171, access control (AC) is one of the most critical. This guide examines the access control requirements for Cybersecurity Maturity Model Certification (CMMC)—particularly for Level 2 certification—along with their practical implementation and how they align with broader compliance standards. By the end, you'll clearly understand how to meet these requirements and protect sensitive data.
Understanding CMMC Access Control
Access control refers to the policies, procedures, and mechanisms limiting access to systems, networks, and data to authorized individuals only. Its primary goal is to prevent unauthorized access to sensitive systems and information. For organizations operating in the Defense Industrial Base (DIB), implementing a strong access control framework is essential for protecting Controlled Unclassified Information (CUI), maintaining compliance, and securing your standing with the Department of Defense (DoD).
How Does CMMC Access Control Relate to NIST SP 800-171?
CMMC’s access control standards are derived directly from NIST SP 800-171A Rev2. For businesses pursuing CMMC Level 2 compliance, adhering to all 22 objective-level requirements tied to access control (alongside other domain practices) is mandatory.
A Breakdown of CMMC Levels and NIST Alignment
- CMMC Level 1 focuses on foundational practices, requiring compliance with 17 basic control practices for protecting Federal Contract Information (FCI) outlined in FAR 52.204-21. Four of the 17 practices fall under the access control family
- CMMC Level 2, the focus of this post, requires adherence to all 110 controls and 320 objectives outlined in NIST 800-171A Rev2, including the 22 aforementioned Access Control objectives
- CMMC Level 3 requires 24 additional controls beyond NIST SP 800-171, incorporating enhanced security practices from NIST SP 800-172. These include stronger access control policies such as role-based access control (RBAC) and the adoption of least privilege principles
Who Needs to Comply with CMMC Access Control Requirements?
The CMMC framework applies to Department of Defense (DoD) contractors and subcontractors that handle FCI or CUI. Not all DoD vendors require CMMC certification—it depends on contract requirements and data sensitivity.
Compliance requirements are based on whether an organization handles FCI, CUI, or other sensitive information:
- CMMC Level 1 is mandatory for contractors managing FCI but not CUI
- CMMC Level 2 applies to companies handling or contractually required to handle CUI
- CMMC Level 3 is for contractors working on highly sensitive applications critical to national information security
Most defense contractors will navigate CMMC Level 2, which requires the full implementation of the 22 access control practices laid out in NIST SP 800-171.
The 22 Access Control Requirements for CMMC Level 2
The CMMC Level 2 assessment guide outlines 22 distinct access control practices. Below is a detailed breakdown of these requirements from AC.L2-3.1.1 through AC.L2-3.1.22.
|
Control ID |
Control Name |
Overview |
|
AC.L2-3.1.1 |
AUTHORIZED ACCESS CONTROL [CUI DATA] |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
|
AC.L2-3.1.2 |
TRANSACTION & FUNCTION CONTROL |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
|
AC.L2-3.1.3 |
CONTROL CUI FLOW |
Control the flow of CUI in accordance with approved authorizations. |
|
AC.L2-3.1.4 |
SEPARATION OF DUTIES |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
|
AC.L2-3.1.5 |
LEAST PRIVILEGE |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
|
AC.L2-3.1.6 |
NON-PRIVILEGED ACCOUNT USE |
Use non-privileged accounts or roles when accessing non-security functions. |
|
AC.L2-3.1.7 |
PRIVILEGED FUNCTIONS |
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
|
AC.L2-3.1.8 |
UNSUCCESSFUL LOGON ATTEMPTS |
Limit unsuccessful logon attempts. |
|
AC.L2-3.1.9 |
PRIVACY & SECURITY NOTICES |
Provide privacy and security notices consistent with applicable CUI rules. |
|
AC.L2-3.1.10 |
SESSION LOCK |
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity |
|
AC.L2-3.1.11 |
SESSION TERMINATION |
Terminate (automatically) a user session after a defined condition. |
|
AC.L2-3.1.12 |
CONTROL REMOTE ACCESS |
Monitor and control remote access sessions. |
|
AC.L2-3.1.13 |
REMOTE ACCESS CONFIDENTIALITY |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
|
AC.L2-3.1.14 |
REMOTE ACCESS ROUTING |
Route remote access via managed access control points |
|
AC.L2-3.1.15 |
PRIVILEGED REMOTE ACCESS |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
|
AC.L2-3.1.16 |
WIRELESS ACCESS AUTHORIZATION |
Authorize wireless access prior to allowing such connections. |
|
AC.L2-3.1.17 |
WIRELESS ACCESS PROTECTION |
Protect wireless access using authentication and encryption. |
|
AC.L2-3.1.18 |
MOBILE DEVICE CONNECTION |
Control connection of mobile devices. |
|
AC.L2-3.1.19 |
ENCRYPT CUI ON MOBILE |
Encrypt CUI on mobile devices and mobile computing platforms. |
|
AC.L2-3.1.20 |
EXTERNAL CONNECTIONS [CUI DATA] |
Verify and control/limit connections to and use of external systems. |
|
AC.L2-3.1.21 |
PORTABLE STORAGE USE |
Limit use of portable storage devices on external systems. |
|
AC.L2-3.1.22 |
CONTROL PUBLIC INFORMATION [CUI DATA] |
Control CUI posted or processed on publicly accessible systems. |
These policies ensure controlled access, protect sensitive data, and allow for audit-friendly recordkeeping.
ISI Insight: Clearly defined categories for access control make compliance implementation more structured and manageable. Tools like Identity and Access Management (IAM) systems can automatically handle many of these requirements.
Key Access Control Requirements Under CMMC
While all 22 practices are critical, the following measures stand out for their impact on compliance and security.
Least Privilege Principle
Access control under CMMC mandates the adoption of the least privilege principle. This means employees and users should only access the systems and data necessary to perform their job duties—nothing more.
Why it’s essential:
- Adopting this principle minimizes risks by limiting an individual’s potential impact in the event of a breach.
- It reduces the likelihood of accidental data leaks or insider threats.
ISI Insight: Assign roles and permissions based on job functions within your organization. Partner systems like Role-Based Access Controls (RBAC) help streamline this process. Review access permissions regularly to confirm they remain relevant.
Secure Remote Access
With remote work becoming the norm, securing remote access pathways to internal systems is a non-negotiable requirement. Remote sessions often introduce vulnerabilities that hackers target aggressively.
Why it’s essential:
- Secure Remote Access safeguards sensitive information that’s transmitted remotely.
- It blocks unauthorized access from potentially insecure devices.
ISI Insight: Encrypted Virtual Private Networks (VPNs) should be used for remote traffic, and endpoint detection solutions should be applied to scan device security. Ensure MFA covers remote access, too.
Session Management and Monitoring
Session management controls ensure users are properly authenticated and that their access is terminated either when they’re inactive or when it’s unnecessary.
Why it’s essential:
- It prevents unauthorized access to unattended workstations.
- It makes it easier to pinpoint access anomalies in real time.
ISI Insight: Enable session timeouts in all user-access systems after a predefined period of inactivity. This precaution ensures that forgotten login sessions won’t remain exposed.
Data Encryption and Protection
Under CMMC guidelines, encryption of sensitive data in transit and at rest is a core mandate. However, data and communication protection extends beyond encryption to include secure access methods for stored CUI.
Why it’s essential:
- These practices ensure that intercepted data (e.g., during transmission) remains unreadable to attackers.
- They meet both contractual and regulatory requirements for CUI protection.
ISI Insight: Encryption processes should use Advanced Encryption Standard (AES) algorithms with a minimum of 256 bits. Also, when storing or transmitting CUI, FIPS Validated encryption must be used.
Monitoring and Audit Logs
Effectively monitoring user access and generating audit logs is instrumental in detecting personnel security incidents. These measures ensure any suspicious behavior is flagged and investigated proactively.
Why it’s essential:
- It helps detect unauthorized control access attempts.
- It provides a digital paper trail for incident response and investigations.
ISI Insight: Use Security Information and Event Management (SIEM) tools to automate log reviews and correlate activities to detect risk better. Maintain records for set periods to comply with audits.
Restricting External and Portable Devices
One underappreciated threat vector is the use of personal hardware or unapproved external storage devices. Access control requirements emphasize the need for strict control and monitoring of device connections to prevent data breaches.
Why it’s essential:
- It reduces risk from malware introduced via portable device.
- It prevents unauthorized data replication or theft.
ISI Insight: Use endpoint management tools to regulate device connections. Disable USB ports where possible and maintain an inventory of approved external devices for CUI transfer.
How to Implement Access Control Policies to Meet CMMC Requirements
Strong access control practices not only ensure compliance but also build trust with the DoD, improving your competitive edge in contract bids.
Challenges
Implementing robust access controls presents several challenges, including:
- Managing User Roles: Defining and administering roles across an organization requires strategic planning to ensure each user has access only to what they need.
- Enforcing the Principle of Least Privilege: It can be difficult to limit access rights to the minimum necessary for employees to perform their duties, especially in large, dynamic organizations.
- Maintaining Compliance Documentation: It’s an ongoing administrative challenge to keep accurate, up-to-date records demonstrating compliance with access control requirements.
Best Practices
To meet CMMC standards and secure your organization's sensitive information, defense contractors should follow these best practices for access control implementation.
- Review and update user access lists regularly. Conduct routine audits of user accounts to ensure access rights align with job responsibilities. Remove access for inactive accounts or employees who have left the organization.
- Use automation tools to track and enforce policies. Implement systems to streamline access management. Advanced solutions, such as those that enforce MFA and integrate with audit logs, can automatically track, document, and maintain access control policies.
- Regularly update your System Security Plan (SSP). As you update or implement new tools and policies, make sure you are regularly updating your SSP to ensure all your documentation reflects your enhanced cybersecurity posture.
Compliance Strategies for Defense Contractors
The path to access control compliance under CMMC requires a strategic approach. Follow these actionable steps to ensure your organization is prepared to meet the standards at CMMC Level 1, Level 2, or beyond.
1. Conduct a Gap Analysis
Evaluate your existing access control practices to identify gaps with CMMC requirements. This includes reviewing processes for managing user accounts, tracking access activities, and applying the least privilege principle.
2. Develop and Implement Access Control Policies
Establish clear access control policies and procedures based on identified gaps. Make these policies a part of your System Security Plan (SSP) to ensure they’re well-documented for risk assessments.
3. Leverage Security Tools
Adopt IAM systems, MFA solutions, and other cybersecurity tools to automate and enforce access control measures. For example, implementing session locks and encryption ensures compliance with access-related security controls.
4. Train Your Workforce on Secure Access Protocols
Provide ongoing education for all employees, reinforcing the importance of compliance with access policies. Address topics such as the secure use of external systems, how to identify vulnerabilities, and how employees can help safeguard sensitive data.
5. Engage in Continuous Monitoring and Improvement
Regularly assess and fine-tune access control systems to adapt to evolving threats and operational changes. Proactive monitoring helps maintain compliance and secure sensitive data.
Types of Access Control Technologies Required for CMMC Compliance
Defense contractors will need a range of technologies to meet CMMC access control requirements. These include:
- IAM: Tools like Microsoft Azure Active Directory or Okta ensure permissions are consistently managed and monitored across your organization.
- MFA: MFA adds an indispensable extra layer of security for user authentication, a requirement under AC.L2 practices.
- Audit and Monitoring Tools: Solutions that track and maintain detailed audit logs for all access activities help fulfill compliance reporting requirements.
- Physical Access Security Systems: Biometric devices, secure card readers, and cameras offer physical protection for where sensitive data is stored.
Implement CMMC Access Controls with ISI
Implementing cybersecurity practices that meet CMMC requirements—or even exceed them—can be a significant competitive differentiator for your business. But navigating the complexities of CMMC compliance by yourself can be challenging. At ISI, we specialize in simplifying the compliance process for defense contractors. Our expert team provides hands-on assistance with developing access control policies, implementing security controls, and ensuring your organization continuously meets CMMC requirements.
Contact ISI today to learn how we can support your compliance and cybersecurity needs.
FAQs about CMMC Access Control
What Are the 4 Types of Access Control?
The four main types are discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), and attribute-based access control (ABAC). These models specify how access rights are assigned based on user identity, organizational roles, or specific rules.
What Is the Least Privilege Principle in Access Control?
This principle ensures that users are granted only the access necessary to perform their job functions. It minimizes the risk of accidental data breaches and unauthorized access to sensitive systems.
What Are the Consequences of Failing to Meet CMMC Access Control Standards?
Non-compliance can result in several repercussions, including disqualification from bidding on future DoD contracts, loss of current contracts, financial penalties, heightened security risks, and reputational damage. Proactively pursuing compliance is a cost-effective way to safeguard your business.
How Often Do Access Controls Need To Be Audited for CMMC Compliance?
All three CMMC levels require annual affirmations that involve auditing of your access control practices. On top of that, CMMC Level 2 requires a triennial audit of your practices by a CMMC Third-Party Assessor Organization (C3PAO), and Level 3 requires a triennial audit by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
