In our last blog we looked at the CMMC Level 1 requirements derived from FAR 52.204-21, a number of which pertained to Access Control.  This publication will look specifically at the Access Control requirements for CMMC Level 2, which are found in NIST SP 800-171 in the Access Control family (3.1).

Of the 22 controls, several are reiterations of FAR 52.204-21 requirements. Note, however, that the scope of FAR 52.204-21 is Federal Contract Information (FCI), whereas the scope of NIST SP 800-171 is Controlled Unclassified Information (CUI).  Therefore, an independent “Level 2” look at these controls is warranted.

Principle of Least Privilege and Separation of Duties

3.1.1Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3Control the flow of CUI in accordance with approved authorizations.
3.1.4Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
3.1.5Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.1.6Use non-privileged accounts or roles when accessing nonsecurity functions.
3.1.7Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
3.1.8Limit unsuccessful logon attempts.

The principle of least privilege (PoLP) restricts access for users, applications and services to only what is necessary to fulfill specific functions, and closely aligns with the “Separation of Duty” principle, which ensures that “no user should be given enough privileges to misuse the system on their own”[1].  These principles differentiate between the network administrator privilege level in the IT ecosystem to the enterprise “user” privilege and permissions level, giving everyone just enough access to perform specific tasks.  Generally, those with privileged accounts will also have user accounts, and should log into the account that’s appropriate for the work at hand.

Organizations may choose to manage privileged access accounts in-house, or they may consider using Privileged Access Management tools.

We all forget our passwords occasionally; however, multiple unsuccessful logon attempts may indicate that someone other than the authorized user is trying access the system.  Generally, controls are set to lock an account after several unsuccessful logon attempts; however, organizations should consider varying options according to the level of security needed for each system. 

Privacy and Security Notices

3.1.9Provide privacy and security notices consistent with applicable CUI rules.

Privacy and security notices are messages (often referred to as “banners”) displayed when a user logs into a system.  These notices typically alert the user to the security restrictions associated with the system, including, but not limited to, statements clarifying the type of information the user may encounter on the system, and the monitoring, recording, and/or auditing of user sessions.

Hardware dedicated to CUI programs should be clearly labeled with similar notices, and posters can be used for restricted facilities.

Further information on system privacy and security notices for CUI systems can be found at

Session Lock and Automatic Session Termination

3.1.10Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
3.1.11Terminate (automatically) a user session after a defined condition.
3.1.22Control CUI posted or processed on publicly accessible systems.

System users that need to temporarily leave their workstations should adhere to “clear desk and clear screen” policies; however, “session lock” controls should also be in place to further protect the system from unauthorized access to an unattended system.  Pattern-hiding displays can be static or moving images, solid colors, or a blank screen.  The authorized user may unlock the session by entering their password. Systems can be configured to lock or terminate sessions after as little as two minutes of inactivity, although low-risk applications may allow up to 30 or 60 minutes before sessions are automatically terminated. Increased security configurations could also include termination of a user session after a predefined period of inactivity, thereby fully disconnecting the user from the network.

External Systems, Remote Connections, Mobile Devices

3.1.12Monitor and control remote access sessions.
3.1.13Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
3.1.14Route remote access via managed access control points.
3.1.15Authorize remote execution of privileged commands and remote access to security-relevant information.
3.1.16Authorize wireless access prior to allowing such connections.
3.1.17Protect wireless access using authentication and encryption.
3.1.18Control connection of mobile devices.
3.1.19Encrypt CUI on mobile devices and mobile computing platforms.
3.1.20Verify and control/limit connections to and use of external systems.
3.1.21Limit use of portable storage devices on external systems.
3.1.22Control CUI posted or processed on publicly accessible systems.

In today’s world of teleworking and global networking, special attention is needed to protect information systems from both wired and wireless remote access.  Cryptographic mechanisms, VPNs, wireless network protocol, and portable storage device restrictions are all examples of methods for fulfilling these requirements.

Hypertext Transfer Protocol Secure (HTTPS) connections, firewall appliances, gateways, and highly-secured cloud platforms are widely used for elevated information security. Mobile data endpoint protection mechanisms are also employed to reduce the threat of data theft or loss.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC Registered Provider Organization

Please visit for more information.

[1] NIST Computer Security Resource Center Glossary