Reference: CMMC 2.0
Family: AC
Level Introduced: 1
Title: Authorized Access Control
Practice:
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
CMMC Clarification:
Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.
Example 1
You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.
Example 2
A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (3)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.