CMMC Practice Number: AC.L1-3.1.2
CMMC Level: 1 CMMC Domain: Access Control (AC)
Practice Summary:
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
Practice Clarification (DOD, CMU)
Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities [a]. Limit access to applications and data based on the authorized users’ role and responsibilities [b]. Common types of functions a user can be assigned are create, read, update, and delete.
Example
You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read access or create/read/delete/update access [b]. Implementing this access control restricts access to FCI information unless specifically authorized.
Potential Assessment Considerations
• Are access control lists used to limit access to applications and data based on role and/or identity [a]?
• Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who word processes cannot access developer tools) [b]?
Where To Look
- Access control policy
- procedures addressing access enforcement
- system security plan
- system design documentation
- list of approved authorizations including remote access authorizations
- system audit logs and records
- system configuration settings and associated documentation
- other relevant documents or records
Who To Talk To
- Personnel with access enforcement responsibilities
- system or network administrators
- personnel with information security responsibilities
- system developers
Perform Test On
- Mechanisms implementing access control policy
Additional Information
Even authorized users are restricted to those parts of the system that they are explicitly permitted to use. This is based on their “need-to-know” and their role within the company.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of- week, and point-of -origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).
CMMC References:
· FAR Clause 52.204-21 b.1.ii
· NIST SP 800-171 Rev 1 3.1.2
· CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11
· NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
· CERT RMM v1.2 TM:SG4.SP1
· NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17