AC.4.025 Periodically review and update CUI program access permissions.

CMMC Practice AC.4.025: Periodically review and update CUI program access permissions.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Users must have organizational approval to read, write and process CUI associated with a program, and the organization must maintain an authoritative list of who has been granted access to CUI. Review and update ACLs and/or appropriate access methods periodically (as determined by the organization, but at least annually) to maintain accurate permission sets when employees’ roles change.