Access Control 3.1.1 (3.1.1)

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to ensure that only authorized users, automated processes acting on their behalf, and approved devices can access their systems. It establishes the foundation for all access control by requiring organizations to identify who and what should have access, and then enforce those decisions through technical and procedural mechanisms.

Control Intent

Prevent unauthorized access to organizational systems and information by establishing and enforcing boundaries around who, what, and how entities can interact with system resources.

Who This Control Applies To

  • All systems that store, process, or transmit CUI
  • All user accounts with access to CUI systems
  • All service accounts and automated processes that access CUI systems
  • All devices that connect to systems containing CUI
  • All network connections between systems handling CUI
  • Remote access solutions and VPN endpoints
  • Cloud services and SaaS applications containing CUI
  • Mobile devices accessing CUI systems

Not Applicable When

  • Systems that do not store, process, or transmit CUI
  • Publicly accessible information systems with no CUI
  • Standalone systems with no network connectivity and no CUI
  • Systems that have been formally decommissioned and removed from service

Key Objectives

  • 1Ensure only authorized users can access organizational systems and data
  • 2Ensure only authorized processes acting on behalf of users can access system resources
  • 3Ensure only authorized devices and systems can connect to and interact with organizational systems
  • 4Establish mechanisms to identify, authenticate, and authorize all access attempts before granting system access

Sample Self-Assessment Questions (Partial)

Do you have a list of all users who are authorized to access your systems?

Do you require users to log in with a username and password before accessing systems?

Implementation Approaches (High-Level)

Centralized Identity and Access Management (IAM)

Deploy a centralized identity management system that controls authentication and authorization for all in-scope systems, providing a single source of truth for authorized users and access policies.

Per-System Access Control Lists

Implement access controls on each individual system by maintaining local user accounts, access control lists, and authentication mechanisms specific to that system.

Network Access Control (NAC)

Deploy network-level access controls that authenticate and authorize devices before allowing network connectivity, ensuring only approved devices can access in-scope systems.

Application-Level Access Control

Implement authentication and authorization mechanisms within applications themselves, controlling access based on application-specific user accounts and permissions.

Hybrid IAM with Local Exceptions

Combine centralized identity management for most systems with documented exceptions for systems that require local access controls due to technical or operational constraints.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If centralized IAM is not yet deployed, create a POA&M with milestones for selecting, deploying, and integrating systems If some systems cannot integrate with IAM, document exceptions and implement compensating controls such as enhanced logging and access reviews If service accounts lack proper authorization, create a POA&M to inventory, document ownership, and establish approval processes If device access controls are missing, create a POA&M to deploy NAC or equivalent device authentication mechanisms If deprovisioning processes are incomplete, create a POA&M to establish automated workflows and regular access reviews Ensure POA&M milestones are specific, measurable, and include interim compensating controls POA&Ms should address both technical implementation gaps and procedural deficiencies Include evidence collection and documentation tasks in POA&M milestones

Related CMMC Controls

3.1.23.1.33.5.13.5.23.5.33.13.13.13.5

Frequently Asked Questions

What does this control require organizations to do?

This control requires organizations to implement mechanisms that ensure only authorized users, processes acting on their behalf, and approved devices can access their systems. This includes identifying who should have access, implementing authentication mechanisms, and enforcing those access decisions through technical controls. Organizations must also manage the lifecycle of access from initial authorization through deprovisioning.

Does this control apply to cloud services and SaaS applications?

Yes, this control applies to any system that stores, processes, or transmits CUI, including cloud services and SaaS applications. Organizations must ensure that access to these systems is limited to authorized users and that appropriate authentication mechanisms are in place. This may involve configuring SSO, managing user accounts within the SaaS platform, or implementing identity federation.

How is this control different from 3.1.2?

Control 3.1.1 focuses on who and what can access systems (account management and authentication), while 3.1.2 focuses on what authorized users are allowed to do once they have access (authorization and permissions). Think of 3.1.1 as controlling the front door and 3.1.2 as controlling which rooms you can enter once inside.

What are service accounts and why do they matter for this control?

Service accounts are automated accounts used by applications, scripts, or processes to access systems without human interaction. They matter because they represent non-human entities that must be authorized and controlled just like user accounts. Organizations must identify all service accounts, document their purpose and authorization, and ensure they have appropriate access controls.

What happens if we cannot immediately implement centralized access control for all systems?

If immediate implementation is not feasible, you should document which systems cannot be integrated and why, implement compensating controls such as enhanced logging and more frequent access reviews, and create a POA&M with specific milestones for achieving full implementation. The key is demonstrating that you have a plan to address the gap and are taking interim steps to manage the risk.

How do we handle access for contractors and third parties?

Contractors and third parties must be treated as authorized users if they need system access. They should be included in your access authorization process, have individual accounts (not shared), and be subject to the same access controls as employees. Their access should be reviewed regularly and removed promptly when their work is complete or their contract ends.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.