CMMC Requirement AC.L2-3.1.2 – Transaction & Function Control: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Links to Publicly Available Resources
This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1. This guide is intended to provide small and medium-sized organizations with guidance for using Microsoft 365 (M365) to satisfy the Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements. Microsoft Entra ID meets identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes. In CMMC Level 1, there are three domains that have one or more practices related to identity: Access Control (AC), Identification and Authentication (IA), and System and Information integrity (SI) This link provides check points for user access security. Focused on securing Controlled Unclassified Information, this work highlights how Virtual Desktop Infrastructure (VDI) reduces endpoint risk and aligns with CMMC requirements across the defense industrial base. This NIST Special Publication covers identity proofing and authentication of users interacting with government IT systems over open networks. This list covers NIST FAQs for Special Publication (SP) 800-63, Digital Identity Guidelines and provides additional clarification to stakeholders. A sample user access management policy for Northwestern Polytechnic This sample policy from Michigan is an example of how an organization can provision and deprovision access to systems and applications.
Discussion [NIST SP 800-171 R2]
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of -origin. In defining other accountattributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).
Further Discussion
Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. Limit access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.