Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

CMMC Clarification

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network. Example 1 You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately. Example 2 A coworker from the marketing department tells you their boss wants to buy a new multifunction printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

800-171 Description

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

800-171 Discussion

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement

Other Source Discussion


CIS Control References

CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17

CMMC Derived

NIST CSF Control References

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.1

Applicable FAR Clause

FAR Clause 52.204-21 b.1.i

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

AU ACSC Essential Eight


Assessment Sub-Criteria 1

AC.1.001.[a] authorized users are identified;

Assessment Sub-Criteria 2

AC.1.001.[b] processes acting on behalf of authorized users are identified;

Assessment Sub-Criteria 3

AC.1.001.[c] devices (and other systems) authorized to connect to the system are identified;

Assessment Sub-Criteria 4

AC.1.001.[d] system access is limited to authorized users;

Assessment Sub-Criteria 5

AC.1.001.[e] system access is limited to processes acting on behalf of authorized users; and

Assessment Sub-Criteria 6

AC.1.001.[f] system access is limited to authorized devices (including other systems).

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15