AuditRubric
cmmc-ac-1 Critical priority Access Control / Authorized Access

Limit system access to authorized users, processes, and devices

Only authorized users, processes acting on behalf of users, and authorized devices should be able to access systems that process or store Federal Contract Information. This means maintaining a deliberate, documented list of who and what can access each system, removing access promptly when it is no longer needed, and ensuring access is granted intentionally rather than by default. Unauthorized access to FCI can trigger contract violations and reporting obligations under DFARS.

8h estimated effort
access-control authorization iam rbac least-privilege

Implementation steps

  1. 1

    Inventory all systems that process or store FCI

    Document every system, application, file share, and cloud service that touches Federal Contract Information. This scoping step ensures you apply access controls to the right places. Include email, collaboration tools, code repositories, and shared drives alongside servers and databases.

    confluence excel
  2. 2

    Define authorized users and devices for each system

    For each in-scope system, document which users, service accounts, and devices are authorized to access it and the business justification. Tie access to job function. Use groups or roles rather than granting permissions to individuals directly so access is easier to manage and audit.

    active-directory okta azure-ad
  3. 3

    Implement and enforce access controls

    Configure each system to allow only the authorized users and devices you defined. Disable or remove guest accounts, shared accounts, and anonymous access on all in-scope systems. For devices, use MDM enrollment or certificate-based authentication to verify only managed devices can connect.

    active-directory okta aws-iam intune jamf
  4. 4

    Remove access promptly when no longer needed

    Establish a process to revoke access when employees leave, change roles, or no longer need access for a project. Tie access removal to your HR offboarding workflow so it happens on the last day of employment. Conduct quarterly access reviews to catch accounts that should have been removed but were not.

    okta active-directory servicenow

Evidence required

Access control policy

Written policy defining how access to FCI systems is granted, reviewed, and revoked.

  • - Access control policy document
  • - User provisioning procedure

Authorized user and device list

Current list of authorized users and devices for each in-scope system.

  • - Active Directory group membership export
  • - IAM role assignment report
  • - MDM device enrollment list

Access review records

Evidence of periodic reviews confirming the access list remains accurate.

  • - Quarterly access review sign-off
  • - User access recertification records

Related controls

cmmc-ac-2

Limit system access to permitted transactions and functions

Authorized Access

cmmc-ia-1

Identify all users, processes, and devices that access systems

Identification

cmmc-ia-2

Authenticate users, processes, and devices before granting access

Authentication

cmmc-ac-3

Verify and control connections to external information systems

External Connections