Periodically review and update CUI program access permissions.
Users must have organizational approval to read, write and process CUI associated with a program, and the organization must maintain an authoritative list of who has been granted access to CUI. Review and update ACLs and/or appropriate access methods periodically (as determined by the organization, but at least annually) to maintain accurate permission sets when employees' roles change. Example You manage IT for your organization. When a new employee joined the organization, they were granted complete access to CUI for the project they were working on. A few months later, their role changed when they are moved to a different project owned by the same program manager but no longer requiring access to CUI. During the periodic review of the access control configuration, you compare the results to the official permission baseline held by the program manager. You determine that the employee should no longer have access to CUI. You revoke the CUI access permissions of the user.
CMMC Organizations must maintain the authorizations for access to CUI information on a regular basis, considering whether existing authorizations are still needed or new authorization are required, and update the authorizations accordingly. Reviews of access take into consideration mission/business needs and maintain the organization’s implementation of the principle of least privilege.