AC.L2-3.1.2 requires organizations to explicitly define the types of transactions and functions that each category of authorized user is permitted to execute within information systems that process, store, or transmit Controlled Unclassified Information (CUI). Once defined, the system must technically enforce these limits so that authenticated users cannot perform actions beyond their defined scope—even if they have valid credentials. This practice is grounded in NIST SP 800-171 Rev 2 security requirement 3.1.2 and directly operationalizes the least privilege principle as applied to system functions rather than merely data access. It extends the identity-based access granted under 3.1.1 by adding a functional dimension: not just who can enter the system, but what they can do once inside. Enforcement mechanisms include role-based access control (RBAC), application-level permissions, OS privilege restrictions, and network segmentation enforced at boundary devices.
Where it stops · what it isn't
- —Does not cover physical access restrictions to facilities or hardware—that is addressed under Physical Protection (PE) controls
- —Does not govern which data objects or CUI records a user may read or modify—that granularity falls under ac-l2-3.1.3 (control CUI flow) and ac-l2-3.1.5 (least privilege for specific access)
- —Does not address authentication strength or multi-factor authentication requirements—those are covered under Identification and Authentication (IA) domain practices
- —Does not define audit and logging requirements for the access events it governs—that accountability layer is addressed under Audit and Accountability (AU) domain practices
- —Does not cover access by non-human entities such as automated processes or service accounts unless those accounts are mapped to defined functional roles
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.