NIST 800-53 REV 5 • ACCESS CONTROL
AC-3 — Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CMMC Practice Mapping
Supplemental Guidance
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family.
Practitioner Notes
Access enforcement is the technical backbone — this is where your system actually checks whether someone is allowed to do what they are trying to do. It is not enough to have a policy; the technology has to enforce it.
Example 1: In Active Directory, assign NTFS permissions on file shares using security groups, not individual users. Set the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → "Deny log on locally" to block unauthorized groups from logging into sensitive servers.
Example 2: In Azure AD Conditional Access, create a baseline policy that requires MFA for all users accessing any cloud app. Add a second policy that blocks access to admin portals (Azure, M365 Admin) from any device not marked as compliant in Intune. These policies are evaluated at every sign-in attempt.