CMMC Practice AC.L1-3.1.1 – Authorized Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Links to Publicly Available Resources
This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1. This link provides check points for user access security. This NIST Special Publication covers identity proofing and authentication of users interacting with government IT systems over open networks. This list covers NIST FAQs for Special Publication (SP) 800-63, Digital Identity Guidelines and provides additional clarification to stakeholders. A sample user access management policy for Northwestern Polytechnic This sample policy from Michigan is an example of how an organization can provision and deprovision access to systems and applications.
Discussion [NIST SP 800-171 R2]
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses [sic] non-privileged) are addressed in requirement 3.1.2 (AC.L1-3.1.2).
Further Discussion
Identify users, processes, and devices that are allowed to use company computers and can log on to the company network. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process. Limit the devices (e.g., printers) that can be accessed by company computers. Set up your system so that only authorized users, processes, and devices can access the company network.
This practice, AC.L1-3.1.1, controls system access based on user, process, or device identity. AC.L1-3.1.1 leverages IA.L1-3.5.1 which provides a vetted and trusted identity for access control.