Part of a Collection
CMMC Deep Dive: Access Control (AC)
A detailed guide to the Access Control (AC) domain within the CMMC framework, covering key practices, compliance requirements, and best practices.
This article is part of our series on The 14 CMMC Domains.
The Access Control (AC) domain is the cornerstone of cybersecurity, focusing on who is permitted to access your systems and data, and what they are allowed to do. It's about enforcing the principle of least privilege to minimize risk from both external and internal threats.
Why It Matters
A failure in access control can render all other security measures useless. If an unauthorized user gains access, they can potentially exfiltrate data, install malware, or cause significant disruption. This domain ensures that access rights are strictly managed throughout the user lifecycle.
Key Practices
- AC.L1-3.1.1: Limit system access to authorized users and processes.
- AC.L1-3.1.22: Control information posted on publicly accessible systems.
- AC.L2-3.1.2: Limit access to the types of transactions and functions users are permitted to execute.
- AC.L2-3.1.3: Control the flow of CUI in accordance with approved authorizations.
- AC.L2-3.1.5: Employ the principle of least privilege.
- AC.L2-3.1.12: Monitor and control remote access sessions.
What Assessors Look For
- A documented Access Control Policy.
- Evidence of an account management process (creation, modification, deletion).
- System configurations demonstrating the enforcement of least privilege (e.g., role-based access control).
- Logs showing remote access monitoring.
- Proof of regular access reviews.