The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework organizes cybersecurity best practices into 14 domains. Each domain specifies various capabilities, processes and practices across CMMC 2.0’s three maturity levels, which are fundamental to establishing basic to advanced cyber hygiene.
CMMC references domains alphabetically by name, making Access Control (AC) the first domain. The Access Control domain is one of the six domains involved in Level 1. With a total of 24 practices organized into 4 capabilities spanning all 3 CMMC levels, Access Control is one of the most significant CMMC domains. It includes practices as critical as limiting access to authorized users or devices, controlling the flow of controlled unclassified information (CUI), and using encryption at various layers of the organization to protect CUI as it is handled, stored, or transmitted.
What does the CMMC Access Control domain cover?
Access control is the set of process and procedures for granting or denying access in accordance with pre-established rules, based on identification, authorization, and authentication.
The purpose of the controls in this domain is to limit access to your protected data, systems, and locations by regulating factors like:
- Who can log on/enter (locally, remotely, or physically)
- Which devices are authorized to connect and to which locations
- Who has the privileges to access what resources
- What level of access enables users to do once they gain access to a system or location
Cybersecurity areas that these controls cover include enforcing least privilege, separation of duties and account management, limiting failed logon attempts, automatic session termination, using encryption for remote access sessions, encrypting CUI on mobile devices, and more.
What are the capabilities within the CMMC Access Control domain?
The Access Control domain has four capabilities:
- C001: Establish system access requirements
This capability is all about ensuring that only those entities that should have access to data and systems can get access. - C002: Control internal system access
This capability concerns least privilege principles, which are applicable for maturity levels 2 and above. - C003: Control remote system access
This is where controls to support secure remote working come into play. - C004: Limit data access to authorized users and processes
Key controls within this capability include encrypting CUI on mobile platforms (required at CMMC Level 2 and Level 3).
How many Access Control domain practices do I need to worry about?
At CMMC Level 1 (the “foundational” level mandated for every DoD supplier that handles federal contract information (FCI)), there are 4 practices within the Access Control domain.
At CMMC Level 2 (the “advanced” level required for DIB orgs that handle CUI), there are an additional 18 practices for a total of 22.
At CMMC Level 3 (the “expert” level, required for a small subset of firms dealing with exceptionally sensitive or risky CUI), there are 2 additional practices for a total of 24 altogether that you would need to comply with.
What’s next?
Access Control is a far-reaching domain that includes vital areas of your business, like remote work environments, enforcing least privilege data access, and encrypting CUI at rest and in transit. If you have questions about how these controls relate to your organization, CBIZ Pivot Point Security is here to help.
To get expert guidance about your current security posture and where to focus your CMMC compliance efforts, contact us today.
