3.1.2

Requirement

Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies.

Discussion

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in 03.15.01.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: access control policy and procedures; procedures for access enforcement; system design documentation; system configuration settings; list of approved authorizations (i.e., user privileges); system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for implementing the access control policy]
Test

[SELECT FROM: personnel with access enforcement responsibilities; system administrators; personnel with information security responsibilities; system developers]

ID	Assessment Objectives
A.03.01.02[01]	approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.
A.03.01.02[02]	approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!