Navigating CMMC Level 2 compliance in Access Control (AC) is essential for Department of Defense (DoD) contractors and small businesses managing Controlled Unclassified Information (CUI).
This comprehensive guide breaks down each specific access control requirement, fully aligned with NIST 800-171 standards, offering a checklist and step-by-step recommendations for staying compliant. Our focus is to provide clear and practical guidance on establishing authorized access control, ensuring you have the correct procedures and evidence ready for audits. We'll also cover the Level 1 controls that are necessary for Level 2 compliance.
For personalized support and expert advice, Reach out and schedule a consultation. We're here to support your path to CMMC Level 2.0 compliance.
“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
Level Of Effort: High
Keeping your Controlled Unclassified Information (CUI) safe is a big deal. It's about making sure that only the right people and processes can get to it. This means setting up good security like passwords and special permissions. This should be for both your internal systems and any external systems you use. For compliance, it's not about having the same rules for everyone; it's about giving the right access based on each person's job and what they need to do their work.
Recommendations:
Manage user accounts carefully: Use tools like Active Directory for overseeing user accounts. Make sure everyone has a strong, unique password.
Keep CUI separate: Store Controlled Unclassified Information in its own secure place. Make sure it's away from other kinds of documents.
Make account management automatic: Talk to your I.T. team about linking your employee database. Systems like Microsoft 365 handle adding and removing accounts automatically.
Control who sees what: Be sure that only certain people can get into files or systems with CUI. It's important to be very clear about who has this access.
Lock up paper CUI: If you have important paper files, keep them in a safe place like a locked filing cabinet.
Stop unauthorized network access: Use technology like Network Access Control (NAC) and 802.1x authentication. Also physically disconnect unused network jacks. This stops unapproved computers from connecting to your network.
Secure your cloud files: If you store CUI in the cloud, make sure only the right people can get to it. Use things like Multi-factor Authentication (MFA) to add extra security.
Evidence:
Screenshots of account settings: Take screenshots of how you set up Users and Groups in Active Directory. Include proof of rules about users and passwords.
Proof of CUI storage: Be ready to show where and how you keep CUI separate. Like in specific folders, dedicated Sharepoint drives, or CUI tags.
Logs of automated account tasks: Keep logs or screenshots of the automatic tasks your system does to manage accounts.
Reports on file access: Have reports ready that show who can and can't get into CUI files. Keep records of annual reviews.
Pictures of locked storage: Show where you keep your paper files safe, like a picture of your locked filing cabinets. Share how you control access to them.
Documentation of network controls: Talk with your I.T. team about how you stop unapproved computers from connecting. Make sure to have proof of this.
Cloud access reports: Be prepared with reports about who can access your cloud files and proof that Multi-factor Authentication is set up right.
Pro Tips:
To get a better understanding of how permissions are set up in Active Directory, tools like Purple Knight, Bloodhound, and PingCastle are helpful.
If you're moving to Microsoft 365 GCC or GCC High, think about using Entra ID (formerly Azure Active Directory) in either standalone or hybrid mode to make compliance easier.
AC.L1-3.1.2 – TRANSACTION & FUNCTION CONTROL
“Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”
Level Of Effort: Medium
When it comes to keeping your company's information safe, it's important to make sure that everyone has the right access to what they need to do their job. No more, no less.
Here’s how you can do this, and prove you’re doing it:
Recommendations:
Customize access for each role: Everyone at your company should only be able to get into the parts of your system that they need for their work. E.g. a salesperson to have access to your CRM but not your financial system.
Organize access with 'Groups': Use groups to manage who can get into different areas of your systems. It's like creating teams where each team gets certain permissions.
Set access by need and time: Sometimes, someone might only need to get into a part of your system for a short time or during specific hours.
Be careful with cloud storage: For files stored online, like in cloud services (e.g. Microsoft's SharePoint) you need to handle who gets in just as carefully as you do with your computers and servers.
Evidence:
Role-specific account settings: You'll want to show that each person's access matches their job by documenting the settings in your systems like the CRM or ERP. You need to clearly show who can access CUI and who cannot.
Group configurations: Have clear records of which groups exist in your systems and what group can access CUI. Sync groups across systems.
Access limits documentation: If you've set up access to be limited by time or need, keep screenshots or other records that show these restrictions.
Cloud access logs: Check who's getting into your online files and when. This means checking the access logs in your cloud storage solutions.
AC.L1-3.1.20 – EXTERNAL CONNECTIONS
“Verify and control/limit connections to and use of external information systems.”
Level Of Effort: Medium
When your organization uses systems and services outside of its network (e.g. personal devices or cloud services), you need to keep track of these connections. They need to be checked, verified, and controlled to stop any unwanted access.
Recommendations:
List all your external connections: Write down every way your system connects to outside services or devices.
Make clear rules for using outside systems: Decide which services are okay to use and write these rules down.
Use security software to watch these connections: Set up programs like firewalls to check who's connecting to your system.
Stop connections that aren't allowed: Make sure your system blocks any services or sites that aren't approved.
Evidence:
A list of connections: Keep an updated list or spreadsheet that shows all the connections to outside systems.
Your rules in writing: These rules should be in your Information Security policy and taught to all your employees.
Pictures of your security software: Take screenshots of the software you use to check these connections, showing things like who tried to connect and when.
Proof of blocking unwanted connections: Have screenshots or records that show how you stop unapproved services or sites from connecting.
AC.L1-3.1.22 – CONTROL PUBLIC INFORMATION
“Control information posted or processed on publicly accessible information systems.”
Level Of Effort: Medium
Manage public information by making sure only approved people can post on systems open to the public. Set up methods to check that no CUI is shared, and create a way to take down and deal with any CUI that gets posted.
Recommendations:
Choose who can post information: Make a list of people allowed to share information on systems that many people can access.
Have a plan for keeping CUI safe: Create clear steps for checking that CUI isn’t getting shared on public systems.
Check everything before it goes public: Before any information is shared, have more than one person look it over.
Regularly check what's been shared: Review information that’s been shared to make sure no CUI got posted
Evidence:
A list of people who can post: Keep a list that shows who has permission to share information on public systems.
How you keep CUI private: Write down the steps you take to check that CUI isn’t shared on these systems.
A checklist for reviewing posts: Keep a list of steps for checking information before it’s shared, along with notes from the people who check it.
Records from your checks: Save reports or notes from when you review shared information to make sure no CUI is included.
If you don't post FCI or CUI on public systems, this might not concern you. But, it's still smart to check. Do this yourself or use a computer program to make sure no FCI/CUI ends up on your site by mistake.
“Control the flow of CUI in accordance with approved authorizations.”
Level Of Effort: High
This CMMC control is about keeping track of how CUI moves around in your organization and to other places. This means making sure it only goes where it's supposed to. Here's a simple guide to do this, along with the kind of proof you should have to show you're on top of it.
Recommendations:
Make a list of all the CUI: Write down every type of CUI you have and where it’s stored. Examples of CUI are work instructions, invoices, photographs, and procedures.
Draw a map of how CUI moves: Make a flowchart that shows the path of CUI. From when it comes in, where it goes in your company, and where it goes when it leaves. Be sure to include any partners or vendors that receive CUI from you.
Talk to your I.T. team about keeping CUI safe: Discuss with your I.T. people the best ways to protect CUI, like where to store it and who can see it.
Use special tools to protect CUI: Set up firewalls and software to ensure the right people can access CUI and stop it from being sent to the wrong place. We recommend programs like Microsoft Purview DLP and Forcepoint DLP.
Evidence:
A detailed list of CUI: Keep a list that shows where each type of CUI is stored. Be as specific as possible.
A chart of CUI movement: Have a flowchart or a spreadsheet that clearly shows where CUI goes in and out of your organization. Include vendors, partners, and make sure it’s easy to understand.
Pictures of your security settings: Take screenshots of how you've set up things like permissions and firewall rules to keep CUI safe.
Prove that your security is working: Regularly make sure that CUI isn't being stored or sent where it shouldn't be, and keep records of these checks.
“Separate the duties of individuals to reduce the risk of malevolent activity without collusion.”
Level Of Effort: High
This control is about spreading out responsibilities, especially for big tasks. This means not letting one person handle everything in a process. Doing this helps stop any misuse of power and keeps your business safer. Here's a clear guide on how to do this and the types of records you should have to show you're managing things well.
Recommendations:
Divide up important security tasks: Make sure that different people are in charge of different parts of key tasks. For example, don't let the same person both make and check system changes.
Work with I.T. to control access: Talk to your I.T. team about limiting what each user can do, like in email or file storage. Put in place Role-Based Access Control (RBAC) to define what each person can access and do.
Keep track of who does what: Set up a way to record who makes changes in your system.
Evidence:
A list or chart of who does each task: Keep a document showing which security tasks are done by different people or departments.
Records from your helpdesk system: Save tickets that show how you keep different duties separate, especially for security tasks.
Screenshots of user permissions: Take pictures of how permissions are set in your systems to show that duties are separated.
Reports of who changed what: Keep reports and logs that show who made changes in your systems.
AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE
“Use non-privileged accounts or roles when accessing nonsecurity functions.”
Level Of Effort: High
Using non-privileged accounts for general tasks is a smart way to cut risks. These accounts have fewer permissions, so if they get hacked, the damage can be limited. Here are some easy-to-follow steps on how to set this up, and the types of proof you should have to show you're managing it correctly.
Recommendations:
Switch to standard accounts for everyday work: Work with your I.T. team to migrate all users to Standard accounts. You might be able to use built-in role-based access controls (RBAC) to do this.
Keep admin accounts for I.T. tasks separate: People who take care of your cloud systems, like Microsoft 365, should have different accounts for everyday use and admin tasks.
Use admin accounts only for specific tasks: If someone needs to do security work or something that needs special access, they should switch to their admin account just for that job. Consider using a Privileged Access Management (PAM) such as CyberArk or BeyondTrust. This can help control when and how people get admin access.
Evidence:
Checks to confirm standard account use: Use vulnerability scanners to check that people are using Standard accounts. Your I.T. team might also be able to give you a report on this.
Screenshots of different accounts: Keep screenshots showing how your cloud systems, like Microsoft 365, have both admin and standard accounts.
Logs from computers and programs: Save records showing who uses an admin account, and set up alerts for when these accounts are used.
AC.L2-3.1.7 – PRIVILEGED FUNCTIONS
“Prevent non-privileged users from executing privileged functions and audit the execution of such functions.”
Managing how your system handles failed login attempts is key to keeping it safe. If someone can't get into an account too many times in a row, the system should lock them out for a while. This stops people who shouldn't be in your system from trying over and over again to guess a password.
Recommendations:
Set up account lockout settings: Use tools like Group Policy Objects (GPO) or Intune to create rules that lock an account if someone signs in too many times. Mac/Linux users should work with their I.T. to install this in a Mac/Linux environment.
Suggestions for settings: A good setup is to lock an account for 15 minutes after 10 wrong sign-ins.
Evidence:
Proof of your settings: Take a screenshot of your GPO settings or show results from a vulnerability scan to prove you have these controls in place.
AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES
“Provide privacy and security notices consistent with applicable CUI rules.”
Level Of Effort: Low
You need to have clear privacy and security notices on all your systems that handle or can access CUI. These notices must follow the rules set for handling CUI and should be easy for users to see.
Recommendations:
Create a detailed privacy and security notice: Write a privacy and security notice that meets CUI rules, and think about getting a lawyer to check it. The notice needs to tell users that:
Their use of the system might be watched or recorded, and can be checked later;
It's not allowed to use the system without permission, and doing so can lead to legal trouble;
Using the system means they agree to be monitored and recorded;
The system has CUI that the Department of Defense has special rules for;
Using the system might have extra rules for certain CUI types, like Export Controlled information.
Display this notice on all relevant systems: Add a notification banner on all computers and accounts that deal with CUI. Use tools like Group Policy Objects or Intune for Windows machines, and work with I.T. for Mac/Linux systems.
Regularly test and recheck the notice: Make sure the notice is displayed correctly, and then check it again every 6 to 12 months.
Evidence:
Screenshots of the notice: Keep a screenshot of your privacy and security notice as it appears in your system.
Screenshots of the login banners: Take a screenshot of the banner that shows up when someone logs into a Windows machine or a Microsoft 365 account that accesses CUI.
AC.L2-3.1.10 – SESSION LOCK
“Use session lock with pattern-hiding displays to prevent access/viewing of data after a period of inactivity.”
Level Of Effort: Low
When safeguarding your computer systems, it's important to use session lock mechanisms with pattern-hiding features. This means setting up your computers to lock themselves after not being used for a bit. It's a great way to stop someone from peeking at or using the system if it's left unattended.
Recommendations:
Automate locking of sessions: Change your system settings so that computers lock after being idle for a while. 5 to 10 minutes is good. This can be done using Group Policy Objects or Intune for Windows. There are similar tools for Mac and Linux.
Use screensavers that don’t show sensitive info: Pick screensavers that won't display or suggest there's CUI or sensitive information on the system.
Evidence:
Screenshots of your lock settings: Screenshot your settings that show the session lock is enabled and its duration before activating.
Results from a security check: Use a vulnerability scanner to make sure these session lock settings are correctly configured and working.
AC.L2-3.1.11 – SESSION TERMINATION
“Terminate (automatically) a user session after a defined condition.”
Level Of Effort: Low
AC.L2-3.1.11 is about closing a user's session if certain things happen, like if they're not active for a while or break rules. This keeps your system safe, especially when a computer is left alone without someone using it.
Recommendations:
Set up computers to end sessions by themselves: Change your settings so that if a computer isn't used for a while, like an hour, it ends the session. Use Group Policy Objects or Intune for this on Windows. If you have a Mac or Linux, ask your IT team to help.
Check that it's working: Make sure to test and see that the computer is ending sessions as it should.
Evidence:
Screenshots of your settings: Screenshot the settings you've used for this automatic session end.
Use a tool to check it's set up right: Run a vulnerability scanner to make sure everything's set up properly.
Tracking who accesses your business's network remotely is essential for CMMC Level 2. You need to know how they're doing it and what they're doing. Especially for those handling Controlled Unclassified Information (CUI). This includes managing access to your main network and cloud-based services like Microsoft 365 or Google Workspace.
Remember, this applies to employees working with CUI. If you can show proof that no remote employees have access to CUI, then this isn't something you need to worry about.
Here are the steps to control remote access and the kinds of proof you should have.
Recommendations:
Pick a safe way for remote sessions: Choose a secure method that follows Federal Information Processing Standards (FIPS) 140-2. These are standards created by the National Institute of Standards and Technology (NIST).
Make sure people use multi-factor authentication. This is like asking for a second ID before letting someone in.
Talk to your I.T. team about who should have remote access, based on their job. Use tools like a Virtual Private Network (VPN) or Secure Access Service Edge (SASE) services. Good choices for SASE are Perimeter 81 and Zscaler.
Make sure you're tracking who logs in and what they do. You can use systems like Security information and event management (SIEM) or a security operations center (SOC) for this. Follow the steps in AU.L2-3.3.1 – SYSTEM AUDITING for more details.
Use tools like BeyondTrust to control how vendors access your network from far away.
Evidence:
Screenshots of your remote access setup: Take screenshots of your settings for remote access, like VPN or SASE configurations.
Logs from remote sessions: Save records or screenshots from systems that watch remote access. This shows you're keeping track of who's logging in and what they're doing.
AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY
“Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.”
IMPORTANT NOTE: it's not good to use several tools for remote access in the CMMC area. You should choose just one tool to set it up and manage it correctly.
AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS
“Authorize remote execution of privileged commands and remote access to security-relevant information.”
Level Of Effort: Medium
Managing who can use important commands or see sensitive info remotely is key for CMMC. It's like putting a stronger lock on your important digital stuff. Here’s how to handle privileged remote access. You'll also find what records to keep to show you're doing it right.
Recommendations:
List authorized remote admins: Write down who can do admin jobs from outside. Include people like outside I.T. help or vendors. Be specific about what admin privileges they have. For example, one user might have access to Microsoft 365, while another might have remote access to cameras.
Check multi-factor authentication (MFA): Make sure MFA is on for accounts with special remote access.
Watch all command tries: Keep logs on computers and cloud programs every time someone tries a privileged command remotely.
Use a Privileged identity management (PIM) tool: Set up something like Microsoft Entra or CyberArk. These tools manage who can use important commands remotely.
Evidence:
Remote admin list: Have a list showing each person's role and what they can access.
MFA setting photos: Take screenshots of where MFA is set up.
Log of command attempts: Save records of when and how these special commands are tried.
PIM setup records: Keep info on how you set up your PIM tools, like screenshots and audit logs.
AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION
“Authorize wireless access prior to allowing such connections.”
Level Of Effort: Medium
This involves checking and approving wireless access points and connections. They must get a green light before joining your business network. This step cuts down the risk of others getting into your system without permission.
Recommendations:
Create a wireless access policy: Decide which devices can connect. Only allow company devices on the main network and personal devices on a guest network. Outline how the approval of personal devices and how passwords are shared.
Use strong encryption: Secure all access points with WPA2 or WPA3 encryption. Verify they meet FIPS 140-2 standards, which you can check on NIST's validated modules page.
Authenticate devices: Before allowing network access, use Network Access Control (NAC) products or certificates with a RADIUS server. Look up the best NAC solutions on Gartner Peer Insights.
Segregate your network: Consider separating your network from your primary one. Or create a completely different network for Internet of Things (IoT) devices, like smart thermostats.
Evidence:
Wireless policy document: Keep a detailed policy or a section in your System Security Plan (SSP) about access rules.
Access point settings screenshots: Capture settings showing WPA2/WPA3 is active.
Device authentication records: Save logs or screenshots of the authentication process.
Network segmentation proof: Have a diagram or firewall/router rules showing how networks are divided, especially for IoT devices.
If your business uses mobile devices for handling CUI, it's important to keep them safe. All mobile devices should be listed, set up correctly, monitored, and encrypted. It's also important to wipe its data if they get lost or stolen. Here's a simple way to do this and the kind of proof you should have.
Recommendations:
Set up mobile device management (MDM): Talk to your I.T. team about using MDM. A common choice is InTune from Microsoft 365. It might take some time for your I.T. team to set it up (10-40 hours).
Follow good setup rules: Use guidelines like the ones from the Cybersecurity and Infrastructure Security Agency (CISA) for how to set up your mobile devices. You can find these in CISA's mobile device cybersecurity checklist.
Know who and what devices handle CUI: Keep track of who can use CUI on mobile devices and which devices they are.
Evidence:
Pictures of your MDM setup: Take screenshots of how your MDM is set up, showing things like what devices are on it, how they're set up (including encryption), how you watch them, and how you can wipe them remotely if needed.
Show your devices are set up right: Keep screenshots that show your mobile devices are set up following CISA's rules.
List of who's using what devices: Have a list or spreadsheet of the people and the mobile devices they use for work. If you're using MDM, you can usually print this out from the system.
Pro Tip: Treat Windows tablets like regular computers, not like mobile devices. Look at CM.L2-3.4.1 – SYSTEM BASELINING for info on how to handle these.
BYOD (bring your own device) can make Mobile Device Management implementation difficult. We strongly recommend considering issuing devices to employees instead of allowing BYOD. Read more. BYOD considerations at CMMC Level 2
AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE
“Encrypt CUI on mobile devices and mobile computing platforms.”
Level Of Effort: Low
For businesses handling CUI on mobile devices, it's crucial to use the right encryption methods. This keeps the information safe, especially if a device gets lost or stolen. Here’s how to encrypt CUI on mobile devices and what proof you need to show.
Recommendations:
Encrypt smartphones and tablets: Use Mobile Device Management (MDM) to put encryption on all mobile devices that access CUI. This is a follow-up from AC.L2-3.1.18 – MOBILE DEVICE CONNECTION.
Encrypt laptops: For Windows laptops, use Bitlocker. For Macs, use FileVault. Make sure every laptop that handles CUI is encrypted.
Evidence:
Screenshots of encryption settings in MDM: Keep images showing the encryption setup in your MDM system.
Proof of laptop encryption: Have documentation proof that shows all your laptops dealing with CUI are encrypted.
AC.L2-3.1.21 – PORTABLE STORAGE USE
“Limit use of organizational portable storage devices on external information systems.”
Level Of Effort: Low
When using portable storage devices like USB drives, CDs/DVDs, and external hard disks, be careful. This is especially true with Controlled Unclassified Information (CUI). The goal is to keep sensitive information safe, even when it's used or moved outside of your company’s network.
Here’s how to limit these devices and what kind of proof you should provide.
Recommendations:
Create a strict no-use policy for removable media with CUI on outside systems: Make a rule that employees can't use things like USB drives or CDs containing CUI on computers outside of the company.
Use encrypted portable storage: Work with your I.T. team to get encrypted USB drives for the company. Make sure these can't be used on computers outside of your company.
Evidence:
Your no-use policy document: Keep a copy of the policy that tells employees not to use portable storage with CUI on outside systems. Also, keep records of training provided to employees on this policy.
Screenshots of encryption settings: Save images of the settings that show your portable storage devices are encrypted.
