Limit system access to authorized users, processes acting on behalf of authorized users, and devices
📖 What This Means
This control means ensuring only the right people, automated processes, and devices can access your systems. Think of it like a bouncer at a club—only those on the list get in. For example, only your accounting team should access financial systems, and only company-issued laptops should connect to your network. This prevents unauthorized access that could lead to data leaks or system tampering. Another real-world example: A contractor's employee leaves the company, but their account isn't disabled. Without this control, they could still access sensitive files.
🎯 Why It Matters
Unrestricted access is a top cause of data breaches. In 2022, 80% of breaches involved compromised credentials (Verizon DBIR). A single unauthorized user or device can expose Controlled Unclassified Information (CUI), costing $180 per record in remediation (IBM). The DoD requires this because defense contractors are prime targets—foreign actors often exploit weak access controls to steal military designs. CMMC Level 1 makes this foundational: if you can't control who gets in, you can't protect CUI.
✅ How to Implement
- 1. In AWS/Azure/GCP, enable Identity and Access Management (IAM) and create roles for each job function (e.g., 'Finance-ReadOnly').
- 2. Set up Multi-Factor Authentication (MFA) for all human users (use Google Authenticator or Duo).
- 3. Configure Conditional Access Policies (Azure) or IAM Policies (AWS) to block logins from non-company IPs.
- 4. Use Azure AD Device Compliance or AWS Managed Microsoft AD to allow only enrolled devices.
- 5. For automated processes, create service accounts with least privilege (e.g., 'CI-CD-Deployer').
- 6. Enable logging (AWS CloudTrail/Azure Monitor) and alert on unusual access patterns.
📋 Evidence Examples
Access Control Policy
Screenshot of IAM Roles
Active Directory Group List
Failed Login Report
MFA Enrollment Report
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AC.L1-3.1.1 ("Limit system access to authorized users, processes acting on behalf of authorized users, and devices"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AC.L1-3.1.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to limit system access to authorized users, processes acting on behalf of authorize.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AC.L1-3.1.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to limit system access to authorized users, processes acting on behalf of authorize.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AC.L1-3.1.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Identify all access points to CUI systems (VPN, direct network, cloud portals)
- • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
- • Map user roles to system access levels
- • Ensure this control covers all systems within your defined CUI boundary where limit system access to authorized users, processes acting on behalf of authorized users, and devices applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 Access Control Policy
- 📄 IAM configuration documentation
- 📄 Access request and approval records
- 📄 Evidence artifacts specific to AC.L1-3.1.1
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a written policy defining who can access systems and how?
Question 2: Are all user accounts reviewed quarterly to remove inactive/unauthorized ones?
Question 3: Is MFA enabled for all cloud and VPN access?
Question 4: Do you block personal devices from accessing CUI systems?
Question 5: Are service accounts (non-human) documented and restricted to least privilege?
⚠️ Common Mistakes (What Auditors Flag)
1. Shared admin accounts (e.g., '[email protected]') with no individual tracking.
2. Missing MFA for cloud consoles (AWS/Azure).
3. No process to revoke access when employees leave.
4. Personal devices allowed without security checks.
5. Service accounts with excessive permissions (e.g., full admin).
📚 Parent Policy
This practice is governed by the Access Control Policy