CMMC practice AC.L2-3.1.1, derived from NIST SP 800-171 Rev 2 §3.1.1, requires organizations to limit information system access to authorized users, processes acting on behalf of authorized users, and devices — including other systems — authorized to connect to the system. Authorization must be formally granted by an authorized official based on organizational need-to-know and least-privilege principles. The practice encompasses three categories of subjects: human users with verified identities, automated processes or service accounts acting on behalf of those users, and physical or virtual devices permitted to communicate with the system. Organizations must maintain a defined and current list of all authorized entities and enforce technical controls to prevent access by any entity not on that list. This requirement forms the baseline from which all other access control practices in CMMC Level 2 derive their meaning and enforceability.
Where it stops · what it isn't
- —This practice does not define the specific types of transactions or functions authorized users may perform — that is addressed by AC.L2-3.1.2 (least privilege) and AC.L2-3.1.3 (separation of duties).
- —This practice does not govern the strength or mechanism of identity verification — that is the responsibility of IA.L2-3.5.1 and IA.L2-3.5.2.
- —This practice does not address physical access controls to facilities, which fall under the PE domain (NIST SP 800-171 §3.10).
- —This practice does not specify logging or audit trail requirements for access events — those are addressed in AU.L2-3.3.1.
- —This practice does not govern encryption of data in transit or network boundary controls, which are addressed in the SC domain (§3.13).
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
REQUIRESia-l2-3.5.1ia-l2-3.5.2ps-l2-3.9.1