Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

CMMC Clarification

Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs. Example System use notificatons can be implemented using messages or warning banners displayed before individual login to systems. You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

800-171 Description

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

800-171 Discussion

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of- origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Other Source Discussion


CIS Control References

CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17

CMMC Derived

NIST CSF Control References

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.2

Applicable FAR Clause

FAR Clause 52.204-21 b.1.ii

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AC.1.002.[a] the types of transactions and functions that authorized users are permitted to execute are defined; and

Assessment Sub-Criteria 2

AC.1.002.[b] system access is limited to the defined types of transactions and functions for authorized users.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15