AC.L1-3.1.1 Authorized Access Control
Authorized access control is the foundation of CMMC Level 1 compliance—it prevents unauthorized users, processes, and devices from accessing your systems. This control requires documented policies and simple technical measures to enforce who can access what. For SMBs, getting this right early saves hundreds of hours during audits.
What this means
This control requires you to implement and enforce restrictions that limit information system access exclusively to authorized users, processes acting under their authority, and approved devices. It's the first line of defense against unauthorized access and covers both human users and automated processes. The intent is to ensure that only personnel and systems with legitimate business need can interact with your sensitive data and critical systems.
How to comply
- 1.Document an access control policy that defines who (users, roles, processes) and what (devices) can access each system.
- 2.Implement user authentication (username/password minimum) for all system entry points.
- 3.Maintain a current list of authorized users and their assigned access levels.
- 4.Configure access permissions at the system or application level to enforce the documented policy.
- 5.Disable or remove access for users and devices that are no longer authorized.
- 6.Review and update authorization lists at least annually or when personnel changes occur.
Evidence auditors look for
- Access control policy document signed by management
- System user account listings with assigned roles and access levels
- Screenshots showing login/authentication mechanisms in place
- Access control configuration files (ACLs, firewall rules, role assignments)
- User access review and approval records
- Terminated employee access removal documentation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access control documentation and user authorization tracking, generating audit-ready evidence from your existing systems without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial