Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Periodically review and update CUI program access permissions.

CMMC Clarification

Users must have organizational approval to read, write and process CUI associated with a program, and the organization must maintain an authoritative list of who has been granted access to CUI. Review and update ACLs and/or appropriate access methods periodically (as determined by the organization, but at least annually) to maintain accurate permission sets when employees' roles change. Example You manage IT for your organization. When a new employee joined the organization, they were granted complete access to CUI for the project they were working on. A few months later, their role changed when they are moved to a different project owned by the same program manager but no longer requiring access to CUI. During the periodic review of the access control configuration, you compare the results to the official permission baseline held by the program manager. You determine that the employee should no longer have access to CUI. You revoke the CUI access permissions of the user.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Organizations must maintain the authorizations for access to CUI information on a regular basis, considering whether existing authorizations are still needed or new authorization are required, and update the authorizations accordingly. Reviews of access take into consideration mission/business needs and maintain the organization’s implementation of the principle of least privilege.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15