Regardless of the Cybersecurity Maturity Model Certification (CMMC) level you need to achieve, there are some practices you need to observe. One of these practices is AC.L1-3.1.1, Authorized Access Control. Keep reading to learn more.
What Is AC.L1-3.1.1?
Let’s start by making sense of the different components of the CMMC practice number:
- AC indicates that this practice belongs to the domain Access Control
- L1 means that this is a CMMC Level 1 practice. However, CMMC is a progressive model, meaning that in order to comply with a CMMC level you also need to comply with all the practices from the previous level.
- 3.1.1 is the practice identifier.
The short name for AC.L1-3.1.1 is Authorized Access Control. This practice requires defense contractors and subcontractors to “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
In the next sections we will see in more detail what this entails and how to show that you are complying with this practice.
Authorized Access Control and CMMC: What You Need To Know
Access control regulates access between users and devices, files, records, and domains.
In other words, AC.L1-3.1.1 focuses on account management for systems and applications.
In order to comply with this CMMC practice, your organization must ensure that only authorized users, processes, and devices are allowed to use company computers and the company network.
AC.L1-3.1.1 and CMMC Assessments
During a CMMC assessment, the assessor will use interviews, tests, and examinations to determine if:
- Authorized users are identified.
- Processes acting on behalf of authorized users are identified.
- Devices (and other systems) authorized to connect to the system are identified.
- System access is limited to authorized users.
- System access is limited to processes acting on behalf of authorized users.
- System access is limited to authorized devices (including other systems).
Below is a description of how assessors can use the tools at their disposal (tests, examinations, and interviews) to verify that you are complying with AC.L1-3.1.1:
- Tests. As part of the CMMC assessments, some tests can be carried out to evaluate the processes your organization uses for managing system accounts and implementing account management.
- Examinations. Assessors can request to examine your access control policy; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; and list of devices and systems authorized to connect to organizational systems, among other documents.
- Interviews. They may ask to talk with personnel with account management responsibilities;responsibilities, system or network administrators, or personnel with information security responsibilities.
As you can see, AC.L1-3.1.1 is a basic CMMC practice, but that doesn’t mean that it is easy to implement.
If you need assistance fulfilling this or any other CMMC requirement, Brea Networks / CMMCCompliance.us can help.
We understand the needs of Small and Medium-Sized Businesses (SMBs) and help you achieve your compliance goals with personalized solutions, zero percent payment plans, and unlimited compliance support. Get in touch today to get started.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
