AC.L2-3.1.1 Authorized Access Control — CMMC Level 2 Compliance Guide
CMMC Level 2 requires you to strictly limit information system access to authorized users, processes, and devices. This control is foundational to preventing unauthorized access and protecting sensitive unclassified information (CUI). Without proper access controls, you risk data breaches and CMMC assessment failures.
What this means
This control requires implementing technical and administrative measures to ensure only authorized individuals, automated processes acting on their behalf, and approved devices can access your information systems. This includes both human users and non-human entities (service accounts, automated workflows) that must be tied to legitimate business purposes. Access must be based on verified identity and the principle of least privilege.
How to comply
- 1.Establish an access control policy that defines authorization criteria and approval workflows
- 2.Implement role-based access control (RBAC) to assign permissions based on job functions
- 3.Maintain an inventory of authorized users and devices with documented access rights
- 4.Use technical controls (authentication, multifactor authentication) to verify identity before granting access
- 5.Implement account and session management to enforce least privilege principles
- 6.Review and revoke access promptly when users change roles or leave the organization
- 7.Monitor and log all access attempts to detect unauthorized access attempts
- 8.Document approval records for each authorized user, process, and device
Evidence auditors look for
- Access control policy document with authorization criteria and approval procedures
- User access request forms with manager approvals and dated authorization records
- Role definitions mapping job titles to system permissions and data access levels
- Active directory or identity management system configuration showing access restrictions
- Device inventory listing approved systems with their assigned access privileges
- Access logs showing successful authentications and blocked unauthorized attempts
- Offboarding checklist documenting deprovisioning and access removal upon termination
- Periodic access reviews signed by managers confirming continued authorization validity
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates user access reviews, centralizes authorization records, and generates audit-ready evidence for AC.L2-3.1.1—eliminating manual spreadsheet tracking and reducing assessment risk.
See how GRCWatch handles this control automatically
Start free trial