Access control is one of the foundational pillars of cybersecurity, especially within Cybersecurity Maturity Model Certification (CMMC). At Level 1, AC.L1-3.1.1 states:
“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
On the surface, this may seem like a basic control, but as both a Certified CMMC Assessor (CCA) and CMMC Consultant, I’ve seen how organizations often under- or over-engineer this practice. Let’s dive into what proper implementation really looks like—not just for compliance, but for operational security.
✅ Assessment Objective Breakdown (From the CMMC Assessment Guide)
Per the CMMC Level 1 Assessment Guide, the assessment objectives (AOs) for AC.L1-3.1.1 are:
- [a] Identify information system users.
- [b] Identify processes acting on behalf of authorized users.
- [c] Identify devices that access the information system.
- [d] Limit system access to the identified and authorized users, processes, and devices.
🧭 Consultant Perspective: Getting the Implementation Right
As a CMMC consultant, our goal is to help clients operationalize these controls in a way that fits their environment—especially small to mid-sized defense contractors (OSCs). Here’s how we coach clients to meet each assessment objective:
[a] Identify Users
- Use centralized identity management (e.g., Active Directory or Microsoft Entra ID).
- Maintain a user inventory or access roster.
- Ensure each user is assigned unique credentials (no shared accounts).
[b] Identify Processes Acting on Behalf of Users
- Document automated scripts, system accounts, and service accounts.
- Assign ownership for each process and ensure they have least-privilege access.
[c] Identify Devices
- Maintain an up-to-date asset inventory (including BYOD if applicable).
- Implement device enrollment policies (e.g., through MDM or GPO).
[d] Limit Access
- Use access control lists, group policies, and firewalls to enforce access limitations.
- Ensure onboarding/offboarding processes update access rights promptly.
- Disable unused accounts and remove orphaned devices.
We recommend lightweight tools like Microsoft Intune, free asset discovery tools, and policy documentation templates to keep costs and complexity down.
🔍 Assessor Perspective: What Compliance Actually Looks Like
From an assessor’s point of view, implementation must be verifiable, consistent, and operational.
Here’s what I look for during an assessment:
- Policy/Procedure Evidence: Even though Level 1 doesn’t require formal documentation, some form of written procedure improves consistency.
- System Demonstration: Can the organization show access lists, user accounts, and device access logs?
- Interviews: Do employees understand who is authorized to access which systems and how that access is managed?
- Screenshots or Live Evidence: Show me the Active Directory OU structure, user properties, and login logs.
🛑 Common Pitfall: Organizations often assume using passwords or having a domain means they’re compliant. But without evidence of authorization, account management, and device identification, this control fails.
Final Thoughts
AC.L1-3.1.1 is the gateway control—if you can’t control who gets in, nothing else matters. When implemented properly, it forms the bedrock of a compliant and secure environment. The key is clarity in who, what, and how access is authorized—and being able to show that to an assessor.
Whether you’re preparing for a CMMC assessment or helping clients as a consultant, this control deserves thorough and practical implementation.
🔗 Want to Learn More?
Let’s connect to talk more about proper CMMC practices and how to prepare effectively for your Level 2 assessment.