🔐 22 Practices
NIST 3.1.1 - 3.1.22
Access Control Policy
Access Control Domain (AC)
📖 What This Policy Covers
Access Control is the foundation of your security program -- it answers the question 'who can access what, and under what conditions?' This policy covers user authorization, least privilege, account lifecycle management, privileged accounts, remote access, wireless access, mobile devices, network segmentation, and data access controls. Think of it as the comprehensive rulebook for every door, gate, and lock in your digital environment.
Purpose
This policy ensures that only authorized individuals can access systems and data, access is granted based on job function and need-to-know, CUI is protected from unauthorized disclosure or modification, and the organization meets CMMC Level 2 certification requirements.
Scope
Applies to all information systems, networks, applications, and databases that process, store, or transmit CUI or sensitive data. Covers all employees, contractors, vendors, partners, and third parties with system access across cloud (AWS, Azure, GCP), on-premise, hybrid, and remote access environments.
🎯 Why It Matters
Unrestricted access is a top cause of data breaches -- 80% of breaches involved compromised credentials (Verizon DBIR 2022). A single unauthorized user or device can expose CUI, costing $180 per record in remediation (IBM). The DoD requires this because defense contractors are prime targets for foreign actors exploiting weak access controls. With 22 practices, Access Control is the largest CMMC domain, reflecting how fundamental it is to protecting sensitive information.
🔐 Key Requirements
1. User Access Control
All access must be authorized before provisioning. Users receive the minimum access required for their job function (least privilege). Public-facing systems prohibit CUI storage/processing.
- ✓ Access requests submitted via ticketing system, approved by manager + data owner + IT Security (for privileged access)
- ✓ No shared accounts -- every user has unique credentials
- ✓ No generic accounts (e.g., 'admin', 'support') except documented service accounts
- ✓ Temporary elevated access expires automatically after 48 hours or 7 days
- ✓ Quarterly access reviews to remove unnecessary permissions
- ✓ External users require MFA + VPN with device compliance check + time-limited access (max 90 days)
2. Account Management
Full lifecycle management of accounts from provisioning through deprovisioning, with special controls for privileged and service accounts.
- ✓ New accounts created within 48 hours of approved request with default read-only access
- ✓ MFA enrollment mandatory before first login
- ✓ Role changes trigger access review within 5 business days
- ✓ Terminations: account disabled within 1 hour of HR notification
- ✓ Inactive accounts (90+ days) disabled automatically; deleted after 180 days
- ✓ Privileged users get separate admin accounts (e.g., 'jsmith' and 'jsmith-admin')
- ✓ Admin accounts cannot be used for email/web browsing
- ✓ Service accounts documented with purpose, owner, permissions; credentials stored in vault
- ✓ Just-In-Time (JIT) provisioning preferred over standing admin access
3. Authentication & Session Controls
Password requirements, multi-factor authentication, and session management to prevent unauthorized access.
- ✓ Minimum password length: 14 characters with upper, lower, number, special character
- ✓ Password expiration: 90 days (120 days for cloud with MFA)
- ✓ Password history: last 12 cannot be reused
- ✓ Account lockout: 5 failed attempts triggers 30-minute lockout
- ✓ MFA required for all cloud console access, VPN, privileged accounts, and CUI access from external networks
- ✓ Idle timeout: 15 minutes of inactivity
- ✓ Maximum session: 10 hours before re-authentication
- ✓ Concurrent sessions limited to 3 per user
4. Access Monitoring & Enforcement
Continuous monitoring of access attempts, regular access reviews, and separation of duties enforcement.
- ✓ All access attempts logged: successful logins, failed attempts, privilege escalations, privileged commands
- ✓ Logs retained 1 year (CUI systems: 3 years)
- ✓ Real-time alerts for: multiple failed logins (>3 in 5 min), unusual location, after-hours privileged access
- ✓ Quarterly access reviews by managers (user lists), IT (group memberships), CISO (privileged accounts)
- ✓ Annual recertification of all access
- ✓ Separation of duties: developer != production deployer, IT admin != financial system access, approver != implementer
5. Device Access Control
Controls for authorized devices, endpoint requirements, and mobile device management.
- ✓ Company-issued laptops/desktops fully managed; MDM-enrolled BYOD allowed if compliant
- ✓ Personal devices not enrolled in MDM are prohibited
- ✓ Endpoint protection required: antivirus/EDR (CrowdStrike, Defender ATP)
- ✓ Full-disk encryption required (BitLocker, FileVault)
- ✓ Critical patches within 7 days, other patches within 30 days
- ✓ MDM policies enforce: PIN/biometric lock, 5-min inactivity lock, remote wipe capability, jailbreak/root prohibition
6. Network Access Control
Network segmentation, remote access controls, wireless security, and third-party connection management.
- ✓ CUI systems isolated in separate VLAN/subnet with firewall rules restricting inter-segment traffic
- ✓ Remote access requires company-managed device or MDM-enrolled BYOD, VPN with split-tunneling disabled, MFA, TLS 1.2+
- ✓ Jump servers/bastion hosts for admin access
- ✓ Guest WiFi isolated with no CUI access; corporate WiFi uses WPA3-Enterprise with certificate-based auth
- ✓ Third-party access: time-limited (90 days max), role-based, logged/monitored, NDA required
- ✓ API keys rotated every 90 days, stored in vault
7. Data Access Control
Data classification-aligned access permissions and encryption requirements.
- ✓ Access permissions aligned with data classification: Public, Internal, Confidential, CUI
- ✓ CUI access requires: completed CUI training, background check, signed NDA, manager + CISO approval
- ✓ Data at rest: AES-256 encryption
- ✓ Data in transit: TLS 1.2+ for external, TLS 1.2+ or IPsec for internal
- ✓ Encryption keys managed via KMS (AWS KMS, Azure Key Vault)
👥 Roles & Responsibilities
CISO / IT Director
- • Overall accountability for access control program
- • Approve exceptions to this policy
- • Ensure annual policy review and updates
- • Report compliance status to executive leadership
IT Department / System Administrators
- • Implement technical controls per this policy
- • Provision and revoke access based on approved requests
- • Monitor access logs and investigate anomalies
- • Maintain evidence of compliance for audits
Human Resources (HR)
- • Notify IT within 24 hours of employee status changes (hire, transfer, termination)
- • Maintain records of background checks and clearances
- • Coordinate access approval for new hires
Managers / Supervisors
- • Request access for direct reports based on job function
- • Review team member access quarterly
- • Report suspected unauthorized access immediately
All Users
- • Protect credentials (no sharing, secure passwords)
- • Report lost/stolen devices within 1 hour
- • Complete annual security awareness training
- • Use access only for authorized business purposes
🛠️ Implementation Roadmap (8 Weeks)
1
Foundation
Weeks 1-4- → Week 1: Inventory all systems accessing CUI, list all users with current access levels, identify gaps vs. policy, assign implementation owners
- → Week 2: Configure IAM (Azure AD / AWS IAM / GCP IAM), create role-based groups, audit Active Directory structure, define GPOs for password policies
- → Week 3: Select and pilot MFA vendor (Microsoft Authenticator, Duo, Okta), create user training materials, enforce MFA for cloud admins then all users
- → Week 4: Implement MDM (Intune, JAMF), enroll all company devices, configure compliance policies (encryption, AV, OS version), deploy endpoint protection
2
Advanced Controls
Weeks 5-8- → Week 5: Inventory privileged accounts, implement PAM solution (CyberArk, BeyondTrust, Azure PIM), convert standing admin to JIT, enable session recording
- → Week 6: Centralize logs (Splunk, Azure Sentinel, AWS Security Hub), configure log sources, create alert rules, assign on-call rotation
- → Week 7: Export current access reports, assign reviewers, use access review tool, document results, revoke unnecessary access
- → Week 8: Finalize policy, create evidence folder structure, conduct training (all users, IT staff, managers), publish policy, require acknowledgment
Recommended Tools
Azure AD Premium P1/P2 (Conditional Access, PIM)AWS IAM / AWS OrganizationsCrowdStrike Falcon / Microsoft Defender ATP (endpoint)Microsoft Intune / JAMF (MDM)CyberArk / BeyondTrust / Azure PIM (PAM)Splunk / Azure Sentinel / AWS Security Hub (SIEM)LastPass / 1Password (password management)ServiceNow / Jira (ticketing)
📊 CMMC Practice Mapping
| Practice ID | Requirement | Policy Section |
|---|---|---|
| AC.L1-3.1.1 | Limit system access to authorized users | 1, 2 |
| AC.L1-3.1.2 | Control public information system access | 1 |
| AC.L2-3.1.3 | Control CUI flow | 7 |
| AC.L2-3.1.4 | Separate duties | 2, 4 |
| AC.L2-3.1.5 | Least privilege | 1 |
| AC.L2-3.1.6 | Use non-privileged accounts | 2 |
| AC.L2-3.1.7 | Limit privileged functions | 2 |
| AC.L2-3.1.8 | Limit unsuccessful logon attempts | 3 |
| AC.L2-3.1.9 | Provide privacy/security notices | Separate policy |
| AC.L2-3.1.10 | Limit concurrent sessions | 3 |
| AC.L2-3.1.11 | Terminate sessions | 3 |
| AC.L2-3.1.12 | Control remote access | 6 |
| AC.L2-3.1.13 | Monitor remote access | 4 |
| AC.L2-3.1.14 | Route remote access via managed points | 6 |
| AC.L2-3.1.15 | Authorize wireless access | 6 |
| AC.L2-3.1.16 | Protect wireless access | 6 |
| AC.L2-3.1.17 | Authorize mobile devices | 5 |
| AC.L2-3.1.18 | Control mobile device connections | 5 |
| AC.L2-3.1.19 | Encrypt CUI on mobile devices | 5, 7 |
| AC.L2-3.1.20 | Control external system connections | 6 |
| AC.L2-3.1.21 | Limit portable storage use | See Media Protection Policy |
| AC.L2-3.1.22 | Control CUI posting/processing | 7 |
📋 Evidence Requirements
These are the artifacts a C3PAO assessor will ask for. Start collecting early.
Signed Access Control Policy
Format: PDF
Frequency: Annual review or when requirements change
Contents: This policy document signed by CISO and CEO, version-controlled in SharePoint
Tip: Keep version history. Have CISO and CEO sign with dates. Store in SharePoint with version control enabled.
IAM Configuration Screenshots
Format: PNG/PDF with annotations
Frequency: Quarterly or after changes
Contents: Azure AD / AWS IAM console showing user list with MFA status, group memberships, Conditional Access policies
Tip: Annotate screenshots to highlight key settings. Include the date and admin account visible in the browser.
Access Request Tickets
Format: PDF export from ticketing system
Frequency: Maintain continuously, sample for audit
Contents: Sample of 10-15 approved access requests spanning 6 months showing approval workflow
Tip: Show the full workflow: request, manager approval, IT Security approval, provisioning confirmation. Sanitize sensitive data.
Access Review Reports
Format: Excel/PDF with signatures
Frequency: Quarterly
Contents: Last 4 quarters of access reviews showing reviewer names, dates, and actions taken (approved/revoked)
Tip: Use Azure AD Access Reviews or ManageEngine for automated review workflows. Document removals specifically.
MFA Enrollment Report
Format: CSV export from Azure AD/Okta
Frequency: Monthly
Contents: List of all users with MFA status (Enabled/Enforced). Target: 100% for CUI access
Tip: Export from Azure AD Portal > Security > MFA. Highlight any gaps and document remediation timeline.
Failed Login / Lockout Logs
Format: CSV from SIEM or Azure AD logs
Frequency: Monthly
Contents: Last 30 days of failed login attempts with lockout events demonstrating 5-attempt lockout enforcement
Tip: Show that the policy is enforced: 5 failed attempts result in lockout. Include sample lockout events.
Privileged Access Logs
Format: CSV/PDF from PAM tool
Frequency: Monthly (sample 30 days for audit)
Contents: PAM session logs showing JIT access approvals, session durations, commands executed
Tip: If using Azure PIM, export eligible vs. active role assignments. Show approval workflow for elevation.
Termination Audit Log
Format: Excel with audit trail
Frequency: Ongoing; sample for audit
Contents: Sample of 5-10 terminated users showing HR notification timestamp vs. account disabled timestamp (< 1 hour SLA)
Tip: Document the timeline precisely. If your average is under 1 hour, highlight that. This is a common assessor focus area.
Device Compliance Report
Format: PDF from Intune/JAMF
Frequency: Monthly
Contents: MDM report showing enrolled devices, compliance status (encryption, AV, patches), non-compliant devices blocked
Tip: Show both the compliance policy configuration and the compliance results. Highlight any blocked devices.
Training Records
Format: PDF/Excel
Frequency: Annual training, ongoing new hire
Contents: Attendance roster for access control training, training materials, acknowledgment forms
Tip: Retain for duration of employment + 3 years. Include the training agenda and quiz/assessment results.
⚠️ Common Gaps (What Assessors Flag)
1. Shared or generic admin accounts still in use
Why this happens: Legacy systems or convenience -- teams share an '[email protected]' account for quick access.
How to close the gap: Create individual admin accounts (jsmith-admin). Implement PAM with session recording. Document any remaining shared accounts with compensating controls.
2. MFA not enforced for all CUI access
Why this happens: Rolled out MFA for cloud but missed VPN, on-prem apps, or specific legacy systems.
How to close the gap: Audit all CUI access paths. Enable MFA on VPN (RADIUS + MFA provider). For legacy apps that can't support MFA, put them behind a reverse proxy with MFA.
3. No formal access review process
Why this happens: IT informally manages access but no documented quarterly reviews with manager sign-off.
How to close the gap: Implement Azure AD Access Reviews or a spreadsheet-based process. Assign managers as reviewers. Track completion and escalate non-respondents.
4. Terminated employee accounts not disabled within 1 hour
Why this happens: HR-IT disconnect -- termination notice comes late or IT isn't monitoring the HR notification channel.
How to close the gap: Automate with HRIS-to-AD integration (Workday, BambooHR to Azure AD). Establish an SLA with HR for same-day notification. Test the process quarterly.
5. No separation of duties enforcement
Why this happens: Small team where one person wears many hats -- same person develops, deploys, and manages production.
How to close the gap: Document compensating controls for small orgs. Use CI/CD pipelines that require a different person to approve deployments. Log all production changes.
📝 Template Customization Guide
When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:
[COMPANY NAME] Your organization's legal name
Example: Acme Defense Systems, LLC
[CISO Name] Name of your Chief Information Security Officer or IT Director
Example: Jane Smith
[MM/DD/YYYY] Effective date, review date, or next review date
Example: 03/01/2026
[ticketing system] Your IT service management tool for access requests
Example: Jira Service Desk
[Service Account Registry] Where you document service accounts
Example: SharePoint list at /sites/IT/ServiceAccounts
[[email protected]] Your security team email distribution
Example: [email protected]
Customization Tips
- 💡 Replace all bracketed placeholders with your organization-specific values
- 💡 Adjust timeframes (e.g., 48-hour access provisioning) based on your HR and IT capacity
- 💡 If you don't use certain tools (e.g., Azure PIM), replace with your equivalent (e.g., CyberArk)
- 💡 For small organizations, document where separation of duties isn't feasible and describe compensating controls
- 💡 Add your specific IP ranges, VPN endpoints, and network segment details to the network access section
- 💡 Review password policy thresholds -- 14 characters is the NIST recommendation, but your contracts may specify different requirements