CMMC readiness · NIST 800-171 alignment · DFARS support Mon–Fri · 0800–1800 ET
Controls / Access Control
AC

Access Control

Limits system access to authorized users, processes, and devices. The largest control family in 800-171, governing everything from account management to remote access to mobile devices to wireless networks.

Family stats
Controls
22
Objectives
70
L1
4
L2 only
18
22 controls in this family
All Level 1 Level 2 only
3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and...
AC.L1-3.1.1 · 6 objectives
L1
3.1.10
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period...
AC.L2-3.1.10 · 3 objectives
L2
3.1.11
Terminate (automatically) a user session after a defined condition.
AC.L2-3.1.11 · 2 objectives
L2
3.1.12
Monitor and control remote access sessions.
AC.L2-3.1.12 · 4 objectives
L2
3.1.13
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.L2-3.1.13 · 2 objectives
L2
3.1.14
Route remote access via managed access control points.
AC.L2-3.1.14 · 2 objectives
L2
3.1.15
Authorize remote execution of privileged commands and remote access to security-relevant...
AC.L2-3.1.15 · 4 objectives
L2
3.1.16
Authorize wireless access prior to allowing such connections.
AC.L2-3.1.16 · 2 objectives
L2
3.1.17
Protect wireless access using authentication and encryption.
AC.L2-3.1.17 · 2 objectives
L2
3.1.18
Control connection of mobile devices.
AC.L2-3.1.18 · 3 objectives
L2
3.1.19
Encrypt CUI on mobile devices and mobile computing platforms.
AC.L2-3.1.19 · 2 objectives
L2
3.1.2
Limit system access to the types of transactions and functions that authorized users are permitted...
AC.L1-3.1.2 · 2 objectives
L1
3.1.20
Verify and control/limit connections to and use of external systems.
AC.L1-3.1.20 · 6 objectives
L1
3.1.21
Limit use of organizational portable storage devices on external systems.
AC.L2-3.1.21 · 3 objectives
L2
3.1.22
Control CUI posted or processed on publicly accessible systems.
AC.L1-3.1.22 · 5 objectives
L1
3.1.3
Control the flow of CUI in accordance with approved authorizations.
AC.L2-3.1.3 · 5 objectives
L2
3.1.4
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
AC.L2-3.1.4 · 3 objectives
L2
3.1.5
Employ the principle of least privilege, including for specific security functions and privileged...
AC.L2-3.1.5 · 4 objectives
L2
3.1.6
Use non-privileged accounts or roles when accessing nonsecurity functions.
AC.L2-3.1.6 · 2 objectives
L2
3.1.7
Prevent non-privileged users from executing privileged functions and capture the execution of such...
AC.L2-3.1.7 · 4 objectives
L2
3.1.8
Limit unsuccessful logon attempts.
AC.L2-3.1.8 · 2 objectives
L2
3.1.9
Provide privacy and security notices consistent with applicable CUI rules.
AC.L2-3.1.9 · 2 objectives
L2
Begin the conversation

Your contract eligibility is on a clock. Let’s get to work.

A 30-minute scoping call with a senior consultant. No pitch. We listen, scope honestly, and tell you what we’d do — including whether we are the right fit.

Request a scoping call →