NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.2 — Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.15.01) 03.15.01.
CMMC Practice Mapping
Assessment Objectives
- approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.
- approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.
Practitioner Notes
Think of this as making sure only the right people can walk through your front door — and once inside, they can only open the doors they're supposed to. You need a list of who's allowed in and a way to enforce it technically, not just on paper.
Example 1: In Active Directory, create security groups for each department and assign NTFS permissions on file shares based on group membership. Set the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → "Allow log on locally" to only include the groups that need access to that specific machine.
Example 2: In Microsoft 365 Admin Center, go to Azure AD → Security → Conditional Access and create a policy that blocks sign-in from any account not in your approved user group. Add a second condition that requires a compliant device. This catches former employees and unauthorized personal devices in one policy.