AuditRubric
cmmc-ac-2 High priority Access Control / Authorized Access

Limit system access to permitted transactions and functions

Authorized users should only be able to perform the specific transactions and functions their role requires. A read-only analyst should not have write access to production databases. A contractor on one project should not be able to browse files from another. Enforcing least privilege reduces the blast radius of any compromised account and limits the potential for accidental or deliberate misuse of Federal Contract Information.

6h estimated effort
access-control least-privilege rbac authorization

Implementation steps

  1. 1

    Define permitted functions for each role

    Map each job function to the specific operations it needs: what data can be read, written, deleted, or exported, and which application functions can be executed. Document these mappings explicitly. Default to read-only access and elevate only when a business need justifies it.

    confluence excel
  2. 2

    Implement least-privilege permissions

    Configure systems using RBAC or equivalent controls that enforce the role-to-permission mappings. Avoid broad permissions like 'full access' or 'admin' unless genuinely required. Disable bulk export and mass-delete capabilities for roles that do not need them.

    active-directory okta aws-iam sharepoint
  3. 3

    Audit and remediate excessive permissions

    Review existing permission assignments for privilege creep, where users have accumulated access beyond what their current role requires. Generate a report of all users with elevated or administrative permissions and verify each is still justified. Remove permissions that are no longer needed.

    active-directory okta aws-iam saviynt

Evidence required

Role and permission matrix

Documentation mapping each role to the specific functions and data access it is permitted.

  • - RBAC role matrix spreadsheet
  • - Application permission configuration document

Permission configuration evidence

Evidence that systems are configured to enforce role-based restrictions.

  • - IAM policy exports
  • - Application role assignment screenshots
  • - Group policy settings

Privilege review records

Records showing periodic reviews of elevated and administrative access.

  • - Privileged access review sign-off
  • - Admin account audit report

Related controls

cmmc-ac-1

Limit system access to authorized users, processes, and devices

Authorized Access

cmmc-ac-3

Verify and control connections to external information systems

External Connections

cmmc-ac-4

Control FCI posted or processed on publicly accessible systems

Public Systems

cmmc-ia-1

Identify all users, processes, and devices that access systems

Identification