Access Control (AC)
Jump to navigation
Jump to search
| CMMC 1.02 # | CMMC 2.0 # | Practice |
| AC.1.001 | AC.L1-3.1.1 | Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). |
| AC.1.002 | AC.L1-3.1.2 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
| AC.1.003 | AC.L1-3.1.20 | "Verify and control/limit connections to and use of external information systems." |
| AC.1.004 | AC.L1-3.1.22 | "Control information posted or processed on publicly accessible information systems." |
| AC.2.005 | AC.L2-3.1.9 | Provide privacy and security notices consistent with applicable Controlled Unclassified Information (CUI) rules. |
| AC.2.006 | AC.L2-3.1.21 | Limit use of portable storage devices on external systems. |
| AC.2.007 | AC.L2-3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. |
| AC.2.008 | AC.L2-3.1.6 | Use non-privileged accounts or roles when accessing nonsecurity functions. |
| AC.2.009 | AC.L2-3.1.8 | Limit unsuccessful logon attempts. |
| AC.2.010 | AC.L2-3.1.10 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
| AC.2.011 | AC.L2-3.1.16 | Authorize wireless access prior to allowing such connections. |
| AC.2.013 | AC.L2-3.1.12 | Monitor and control remote access sessions. |
| AC.2.015 | AC.L2-3.1.14 | Route remote access via managed access control points. |
| AC.2.016 | AC.L2-3.1.3 | Control the flow of CUI in accordance with approved authorizations. |
| AC.3.012 | AC.L2-3.1.17 | Protect wireless access using authentication and encryption. |
| AC.3.014 | AC.L2-3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| AC.3.017 | AC.L2-3.1.4 | "Separate the duties of individuals to reduce the risk of malevolent activity without collusion." |
| AC.3.018 | AC.L2-3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
| AC.3.019 | AC.L2-3.1.11 | Terminate (automatically) user sessions after a defined condition. |
| AC.3.020 | AC.L2-3.1.18 | Control connection of mobile devices. |
| AC.3.021 | AC.L2-3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. |
| AC.3.022 | AC.L2-3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms. |
| AC.4.023 | Unknown | Control information flows between security domains on connected systems. |