Reference: CMMC v2.13
Family: AC
Level Introduced: 1
Title: Transaction & Function Control [FCI Data]
Practice:
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Further Discussion:
Limit users to only the information systems, roles, or applications they are permitted to use and require for their roles and responsibilities. Limit access to applications and data based on authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.
Example
You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implementing this access control restricts access to FCI information unless specifically authorized.
Potential Assessment Considerations
• Are access control lists used to limit access to applications and data based on role and/or identity [a]?
• Is access for authorized users restricted to those parts of the system they are explicitly permitted to use, that is, is access denied by default and allowed by exception (e.g., a person who only performs word-processing cannot access developer tools) [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.