CMMC 2.0 • LEVEL 1 • ACCESS CONTROL

AC.L1-3.1.2Access Enforcement

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.15.01) 03.15.01.

NIST 800-171 Mapping

NIST 800-53 Controls

AC-3AC-4SC-7

Assessment Objectives

  • approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.
  • approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

AC.L1-3.1.1 Account Management AC.L2-3.1.3 Information Flow Enforcement AC.L2-3.1.4 Separation of Duties AC.L2-3.1.5 Least Privilege