Are you ready to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? If so, Access Control (AC) is the first domain you must tackle as part of CMMC level 1 requirements. Its practices regulate access between active entities (users or user processes) and passive entities (devices and records). In this post, we break down key information on the first two practices, AC.1.001 and AC.1.002, through a CMMC assessment context so you know exactly what to expect.

What is a CMMC Assessment?

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21).

What is Access Control – AC.1.001?

The first practice of CMMC level 1 Access Control, AC.1.001, states the requirement to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices.” This practice focuses on account management for systems and applications. You must set up your system so that unauthorized users and devices can’t get on your network and breach FCI.

First, you need to control who uses your company computers and who can log into the network to ensure only authorized personnel have access. One way to do this is to have a unique username and password for every employee who uses a company computer for their work. After an employee leaves the company, their username and password must be disabled to avoid future access attempts.

Second, access restrictions must extend to services and devices (e.g., printers) used on company networks. You can control system and device network access by stopping them from connecting unless they have access permission. If you decide later to add a new device like a printer, you can grant specific permission to the printer, connect it to the network, and install it. The key is to always deny access to devices your system isn’t familiar with and employ access measures accordingly for new devices.

What is Access Control – AC.2.002?

The second practice of CMMC level 1 Access Control, AC.1.002, states the requirement to “limit information system access to the types of transactions and functions that authorized users are permitted to execute.” This means that you can define access privileges by account or account type. Account types include individual, shared, group, and more. It’s crucial that users only access systems or privileges required for their roles. For example, you wouldn’t want a lower-level employee to access material meant for administrators; access privileges prevent these instances from occurring. Other authorization attributes can include time-of-day or day-of-week restrictions.

To employ this practice, take note of information you and your colleagues have access to. For example, if there’s Department of Defense (DoD) contract information your team needs access to in order to perform work correctly, you can implement system measures that assign access based on specific roles. Each role limits whether an employee has read or write access, and implementation restricts access to FCI unless there’s specific authorization.

What are AC.1.001 and AC.1.002 Assessment Objectives and Objects?

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals).

AC.1.001 assessment objective: Identify all authorized users, processes acting on behalf of these users, and devices authorized to connect to the system. System access should be limited to only the three identified elements mentioned.

AC.1.002 assessment objective: Determine if the types of transactions and functions that authorized users can execute are defined. This includes system access limitations.

Regarding objects for both practices, a C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.

What are the Assessment Methods for AC.1.001 and AC.1.002?

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for AC.1.001 and AC.1.002:

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. For AC.1.001 and AC.1.002, C3PAOs can examine your access control policy, procedures addressing account management and access enforcement, and your system security plan. They can analyze your configuration settings and any documentation related to these settings or your system design. Your assessor can also review a list of your active system accounts with names of associated individuals, a list of approved authorizations, system audit logs, records of recently departed employees, and other relevant documents or records. Lastly, inspections may ensue regarding organizational processes and implementation for account management or access control policy.

Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. During an assessment of your access control practices for AC.1.001 and AC.1.002, a C3PAO may interview personnel with account management or information security responsibilities, system developers, and system or network administrators.

Test: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for AC.1.001 and AC.1.002 are susceptible to testing.

How Do I Know if I’m Complying to AC.1.001 and AC.1.002 Practices?

Access control is an important domain that constitutes access privileges. You may already have some security measures in place to address AC.1.001 and AC.1.002 objectives, but you’re unsure how they stand up to an assessment examination or test. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Complying with these Access Control practices means you’re one step closer to the next domain, and even better, a step closer to your Level 1 certification.