CMMC AC.1.001 – Limit Information System Access

CMMC AC.1.001 – Limit Information System Access

Requirement text: AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2 (AC.1.002).

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.

Example 1:  You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.

Example 2: A coworker from the marketing department tells you their boss wants to buy a new multi-function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

Get Audit Ready

How to pass? Identify who is allowed to use your company computers and create them their own accounts to log on. Don’t share passwords and don’t write passwords where they can be viewed. When an employee leaves your company, disable their accounts. Log out or lock computers when they are not in use.

How can you fail this? Disabling passwords, using easily guessed passwords, or leaving computers logged in so that anyone can access your data.

• FAR Clause 52.204-21 b.1.i
• NIST SP 800-171 Rev 1 3.1.1
• CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
• NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
• CERT RMM v1.2 TM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
• AU ACSC Essential Eight

    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...
    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...
    • System and Information Integrity: SP 800-171 Security Family 3.14

      Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...
    • CMMC AC.1.002 – Assign Information System User Rights

      Requirement text: AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2  Organizations may choose to define access ...
    • CMMC AC.2.006 - Limit Storage Devices

      Requirement text: AC.2.006: Limit use of portable storage devices on external systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2  Limits on the use of organization-controlled portable storage devices in external systems include complete ...