Access Control

Access control is the security discipline of managing who can access your systems, data, and facilities — and what they can do once they have access. It encompasses policies, procedures, and technical mechanisms that ensure only authorized users can access specific resources, and only to the extent required for their job function.

Access control includes user authentication (verifying identity), authorization (determining what a user is allowed to do), and accountability (tracking what users actually did). Technical implementations include user accounts, group policies, file permissions, network access controls, and physical access systems like badge readers.

Why It Matters

Access Control is the largest domain in both CMMC and NIST SP 800-171, with the most requirements. Getting access control right — knowing who has access to what and ensuring it's only what they need — is foundational to protecting CUI.

Related Resources

CMMC: AC.L1-3.1.1
CMMC: AC.L1-3.1.2
CMMC: AC.L2-3.1.3
CMMC: AC.L2-3.1.4
CMMC: AC.L2-3.1.5
CMMC: AC.L2-3.1.6
CMMC: AC.L2-3.1.7
CMMC: AC.L2-3.1.8