Access Control

CMMC Assessment with IntelComp

IntelComp is an independent compliance management platform designed to support businesses in navigating and preparing for cybersecurity frameworks, including CMMC 2.0. While not affiliated with or endorsed by the U.S. Department of Defense (DoD), CMMC-AB, or NIST, IntelComp offers tools and guidance aligned with standards such as NIST SP 800-171A to help organizations strengthen security posture and readiness. All references to government standards are for informational purposes only. IntelComp does not provide certification but empowers you with the resources to pursue compliance confidently and effectively.

CMMC Access Control (AC) Overview

The Access Control (AC) domain in CMMC focuses on managing who can access systems, information, and physical spaces. Its primary goal is to ensure that only authorized individuals can view or interact with Controlled Unclassified Information (CUI).

Key practices within this domain include:

  • Limiting system access to authorized users, processes, and devices

    Enforcing strong authentication and session control

    Restricting access based on roles and need-to-know principles

    Controlling remote access and wireless connections

    Monitoring and managing user privileges

These controls help reduce the risk of unauthorized access, data leakage, and insider threats—making AC a foundational component of any secure cybersecurity environment under CMMC 2.0.

P - Programs, Policies, Procedures (SOPs) | A - Artifacts/Records | T - Training Materials/Comprehension Quiz

Sort-As PAT Security Requirement
3.1.1.a P Identification and Authorization of Users Policy
3.1.1.a A Access Control Policy Statement
3.1.1.a A User Access Request Form
3.1.1.a A Authorized User Log
3.1.1.a A User Identification Test Plan
3.1.1.a T Identification and Authorization of Users Policy Training Material and Comprehension Quiz
3.1.1.b P Identification of Processes Acting on Behalf of Authorized Users Policy
3.1.1.b A Authorized User Process Identification Policy Statement
3.1.1.b A Process ID Record
3.1.1.b A Log Review Checklist
3.1.1.b A Incident Response Form
3.1.1.b A Periodict Audit Report
3.1.1.b T Identification of Processes Acting on Behalf of Authorized Users Training Material and Comprehension Quiz
3.1.1.c P Identification and Authorization of Devices Connecting to Organizational Systems Policy
3.1.1.c A Device and System Inventory Log
3.1.1.c A Device Authorization Request Form
3.1.1.c A Device Access Control Policy Statement
3.1.1.c A Device and System Authorization Test Plan
3.1.1.c T Device Identification and Authorization Policy Training Material and Comprehension Quiz
3.1.1.d P System Access Control Policy
3.1.1.d A Device & System Inventory Log
3.1.1.d A System Access Control Policy
3.1.1.d A Access Control Audit Log
3.1.1.d A Access Control Training Record
3.1.1.d T System Access Control Policy Training Material and Comprehension Quiz
3.1.1.e P Limitation of System Access to Processes Acting on Behalf of Authorized Users Policy
3.1.1.e A Device and System Inventory Log
3.1.1.e A System Access Control Policy Statement
3.1.1.e A System Configuration for Process Access Control
3.1.1.e A Process Access Audit Report
3.1.1.e A User and Process Authorization Log
3.1.1.e A Process Access Training Acknowledgement
3.1.1.e A Process Access Risk Assessment Worksheet
3.1.1.e T Limitation of System Access to Processes Acting on Behalf of Authorized Users Policy Training Material and Comprehension Quiz
3.1.1.f P System Access Control for Authorized Devices Policy
3.1.1.f A Device and System Inventory Log
3.1.1.f A Authorized Device Inventory Template
3.1.1.f A Access Request Form Template
3.1.1.f A Access Review and Audit Log Template
3.1.1.f A Network Access Control (NAC) Configuration Template
3.1.1.f A Incident Response Plan (Unauthorized Device Access)
3.1.1.f T System Access Control for Authorized Devices Policy Training Material and Comprehension Quiz
3.1.2.a P Incident Response Plan Template (Unauthorized Device Access)
3.1.2.a A Authorized User Roles and Transaction Matrix
3.1.2.a A Policy Document for Authorized Transactions
3.1.2.a T Authorization of User Transaction and Function Control Policy
3.1.2.b P Access Control Policy for Authorized Transactions and Functions
3.1.2.b A Role-Based Access Matrix
3.1.2.b A Access Review and Audit Log Template
3.1.2.b A Access Authorization Form
3.1.2.b A Training Record for Access Control
3.1.2.b T Authorized Transactions and Functions Policy
3.1.3.a P Information on Flow Control Policy
3.1.3.a A Information on Flow Control Policy
3.1.3.a T Information on Flow Control Policy
3.1.3.b P Policy and Procedures for Controlling the Flow of Controlled Unclassified Information
3.1.3.b A Data Flow Diagram (DFD)
3.1.3.b A Data Flow Control Policy
3.1.3.b A Enforcement Mechanism Checklist
3.1.3.b A Enforcement Test Procedure
3.1.3.b A Evidence Log
3.1.3.b T Controlling the Flow of Controlled Unclassified Information (CUI) Procedure
3.1.3.c P Identifying Designated Sources and Destinations for CUI
3.1.3.c A CUI Flow Diagram
3.1.3.c A CUI Data Transmission Matrix
3.1.3.c A CUI Designated Sources and Destinations Log
3.1.3.c A Interconnection Diagram
3.1.3.c A Verification for CUI Sources and destination
3.1.3.c T Identifying Designated Sources and Destinations for CUI Policy
3.1.3.d P Controlling the Flow of Controlled Unclassified Information (CUI)
3.1.3.d A Authorization Template for Controlling the Flow of CUI
3.1.3.d T Controlled Unclassified Information (CUI) Flow Control Policy Training Material and Comprehension Quiz
3.1.3.e A Data Flow Control Policy
3.1.3.e A CUI Flow Authorization Form
3.1.3.e A System Diagram for CUI Flow
3.1.3.e A Access Control Authorization Log
3.1.3.e A Compliance Monitoring Checklist
3.1.3.e A Change Control Form
3.1.4.a P Defining the Duties of Individuals Requiring Separation Policy
3.1.4.a A Roles and Responsibilities Matrix
3.1.4.a A Roles Separation and Responsibilities Policy
3.1.4.a A Job Description with Role Separation
3.1.4.a A Access Control Matrix
3.1.4.a A Separation of Duties (SoD) Diagram
3.1.4.a A Compliance Maintenance
3.1.4.a A Separation of Duties Checklist
3.1.4.a A Conflict of Interest Report
3.1.4.a A Change Management Log
3.1.4.a A Role Review and Validation Report
3.1.4.a A Training and Awareness Log
3.1.4.a T Defining the Duties of Individuals Requiring Separation Policy Training Material and Comprehension Quiz
3.1.4.b P Separation of Duties for Responsibilities Policy
3.1.4.b A Segregation of Duties Matrix
3.1.4.b A Responsibilities and Role Mapping Policy Document
3.1.4.b A Segregation of Duties Audit Checklist
3.1.4.b A Segregation of Duties Exception Log
3.1.4.b T Separation of Duties for Responsibilities Policy Training Material and Comprehension Quiz
3.1.4.c P Policy and Procedure on Separation of Duties and Access Privileges
3.1.4.c A Access Privilege Management Document
3.1.4.c A Segregation of Duties
3.1.4.c A Access Review and Verification Report
3.1.4.c A Access Approval Form
3.1.4.c A Access Privilege Audit Log
3.1.4.c A Steps Form Implementation
3.1.4.c T Policy and Procedure on Separation of Duties and Access Privileges Training Material and Comprehension Quiz
3.1.5.a P Identification of Privileged Accounts Policy
3.1.5.a A Privileged Account Identification Policy
3.1.5.a A Privileged Account Inventory Spreadsheet
3.1.5.a A Privileged Account Approval Form
3.1.5.a A Privileged Account Audit Report
3.1.5.a T dentification of Privileged Accounts Policy Training Material and Comprehension Quiz
3.1.5.b P Privileged Account Management Policy
3.1.5.b A Privileged Access Control Policy
3.1.5.b A Privileged Account Access Control Matrix
3.1.5.b A Privileged Account Authorization Request Form
3.1.5.b T Privileged Account Management Policy Training Material and Comprehension Quiz
3.1.5.c P Identification and Management of Security Functions
3.1.5.c A Security Functions Inventory
3.1.5.c A Security Functions Description Document
3.1.5.c A Security Functions Mapping Control
3.1.5.c A Security Functions Management Plan
3.1.5.c T Identification and Management of Security Functions Policy Training Material and Comprehension Quiz
3.1.5.d P Access Control Policy – Security Functions
3.1.5.d A Access Request Form
3.1.5.d A Access Control Policy
3.1.5.d A Access Control Review Log
3.1.5.d A Security Function Access Audit Log
3.1.5.d A Key Notes for Usage
3.1.5.d T Access Control for Security Functions Policy Training Material and Comprehension Quiz
3.1.6.a P Non-Privileged Account Use Policy
3.1.6.a A Nonsecurity Functions Identification Table
3.1.6.a A Nonsecurity Functions Identification Table
3.1.6.a A Roles and Responsibilities Matrix
3.1.6.a A System Architecture Diagram with Function Separation
3.1.6.a A Policies and Procedures for Function Identification and Separation
3.1.6.a A Functional Separation Test Report
3.1.6.a T Non-Privileged Account Use Policy Training Material and Comprehension Quiz
3.1.6.b P Non-Privileged Account Access Policy
3.1.6.b A Non-Privileged Account Usage Policy
3.1.6.b A SOP for Managing Non-Privileged Accounts and Roles
3.1.6.b A Non-Privileged Account Access Log
3.1.6.b A User Account Management Review Report
3.1.6.b T Non-Privileged Account Access Policy Training Material and Comprehension Quiz
3.1.7.a P Privileged Functions Management
3.1.7.a A Privileged Functions Definitions and Roles
3.1.7.a A Privileged Access Request Form
3.1.7.a A Privileged Access Review Log
3.1.7.a A Privileged Actions Audit Report
3.1.7.a T Privileged Functions Management Policy Training Material and Comprehension Quiz
3.1.7.b P Non-Privileged User Management Policy
3.1.7.b A Non-Privileged User Definition Document
3.1.7.b A Non-Privileged User Access Control Policy
3.1.7.b A User Access Matrix
3.1.7.b T Non-Privileged User Management Policy Training Material and Comprehension Quiz
3.1.7.c P User Privilege Management Policy
3.1.7.c A Access Control Policy
3.1.7.c A Privileged Account Management Procedure
3.1.7.c A Privileged Access Request Form
3.1.7.c A Non-Privileged User Monitoring Log
3.1.7.c A Audit Evidence Checklist
3.1.7.c A Configuration Evidence
3.1.7.c A Training Acknowledgment Form
3.1.7.c T User Privilege Management Policy Training Material and Comprehension Quiz
3.1.7.d P Privileged Function Audit Logging Policy
3.1.7.d A Audit Log Policy
3.1.7.d A Privileged Function Audit Logging Policy
3.1.7.d A Privileged Function Log Review Report
3.1.7.d A Privileged Function Log Monitoring Checklist
3.1.7.d A Log Retention and a Security Guidelines
3.1.7.d A Privileged Function Logging Configuration Checklist
3.1.7.d A Privileged Function Audit Log Report
3.1.7.d A Privileged Function Audit Log
3.1.7.d A Audit Evidence Review Log
3.1.7.d A Log Retention and Backup Schedule
3.1.7.d T Privileged Function Audit Logging Policy Training Material and Comprehension Quiz
3.1.8.a P 3.1.8.a.PX-The means of limiting unsuccessful logon attempts is defined.
3.1.8.a A Account Lockout Policy
3.1.8.a T Account Lockout Policy Training Material and Comprehension Quiz
3.1.8.b P Procedures for Limiting Unsuccessful Logon Attempts
3.1.8.b A THE DEFINED MEANS OF LIMITING UNSUCCESSFUL LOGON ATTEMPTS IS IMPLEMENTED
3.1.8.b T Procedures for Limiting Unsuccessful Logon Attempts Training Material and Comprehension Quiz
3.1.9.a P CUI Privacy and Security Notice Policy
3.1.9.a A Privacy and Security Notices for CUI
3.1.9.a T CUI Privacy and Security Notice Policy Training Material and Comprehension Quiz
3.1.9.b P Privacy and Security Notices Display Policy
3.1.9.b A Privacy and Security Notice Artifacts for CMMC Compliance
3.1.9.b T Privacy and Security Notices Display Policy Training Material and Comprehension Quiz
3.1.10.a P Session Lock Policy
3.1.10.a A THE PERIOD OF INACTIVITY AFTER WHICH THE SYSTEM INITIATES A SESSION LOCK IS DEFINED
3.1.10.a T Session Lock Policy Training Material and Comprehension Quiz
3.1.10.b P CUI Privacy and Security Notice Policy
3.1.10.b A THE PERIOD OF INACTIVITY AFTER WHICH THE SYSTEM INITIATES A SESSION LOCK IS DEFINED
3.1.10.b T Protecting CUI with Session Lock Controls Policy Training Material and Comprehension Quiz
3.1.10.c P Information Concealment via Pattern-Hiding Display Policy
3.1.10.c A CMMC NIST 800-171A Control 3.1.10.c
3.1.10.c T Information Concealment via Pattern-Hiding Display Policy Training Material and Comprehension Quiz
3.1.11.a P User Session Termination Policy
3.1.11.a A CONDITIONS REQUIRING USER SESSION TERMINATION
3.1.11.a T User Session Termination Policy Training Material and Comprehension Quiz
3.1.11.b P User Session Termination Policy
3.1.11.b A CMMC NIST 800-171A CONTROL 3.1.11.B
3.1.11.b T User Session Termination PolicyTraining Material and Comprehension Quiz
3.1.12.a P Remote Access Management Policy
3.1.12.a A Remote Access Policy
3.1.12.a T Remote Access Management PolicyTraining Material and Comprehension Quiz
3.1.12.b P Remote Access Identification Policy
3.1.12.b A Remote Access Identification Report
3.1.12.b T Remote Access Identification PolicyTraining Material and Comprehension Quiz
3.1.12.c P Remote Access Session Control Policy
3.1.12.c A Remote Access Session Control
3.1.12.c T Remote Access Session Control Policy Training Material and Comprehension Quiz
3.1.12.d P Remote Access Monitoring Policy
3.1.12.d A Remote Access Monitoring
3.1.12.d T Remote Access Monitoring Policy Training Material and Comprehension Quiz
3.1.13.a P Remote Access Cryptographic Protection Policy
3.1.13.a A Cryptographic Mechanisms are Implemented to Protect the Confidentiality of Remote Access Sessions
3.1.13.a T Remote Access Cryptographic Protection Policy Training Material and Comprehension Quiz
3.1.13.b P Remote Access Cryptographic Security Policy
3.1.13.b A Cryptographic Mechanism For Remote Access Confidentiality
3.1.13.b T Remote Access Cryptographic Security Policy
3.1.14.a P Access Control Points Management Policy
3.1.14.a T Access Control Points Management Policy Training Material and Comprehension Quiz
3.1.14.a A Managed Access Points are Identified and Implemented
3.1.14.b P Remote Access Routing Policy
3.1.14.b A Remote Access Policy
3.1.14.b T Remote Access Routing Policy Training Material and Comprehension Quiz
3.1.15.a P Authorized Privileged Commands for Remote Execution Policy-
3.1.15.a A Identification of Privileged Commands Authorized for Remote Execution
3.1.15.a T Authorized Privileged Commands for Remote Execution Policy Training Material and Comprehension Quiz
3.1.15.b P Security-Relevant Information Authorized for Remote Access Policy
3.1.15.b A Remote Access Security-Relevant Information Identification
3.1.15.b T Security-Relevant Information Authorized for Remote Access Policy Training Material and Comprehension Quiz
3.1.15.c P Remote Access for Privileged Commands Policy
3.1.15.c A Remote Access Security-Relevant Information Identification
3.1.15.c T Security-Relevant Information Authorized for Remote Access Policy Training Material and Comprehension Quiz
3.1.15.d P Remote Access Authorization for Security-Relevant Information Policy
3.1.15.d A Ensure Remote Access to Security-Relevant Information is Authorized
3.1.15.d T Remote Access Authorization for Security-Relevant Information Policy Training Material and Comprehension Quiz
3.1.16.a P Wireless Access Authorization Policy
3.1.16.a A Wireless Access Points Identification
3.1.16.a T Wireless Access Authorization Policy Training Material and Comprehension Quiz
3.1.16.a T Wireless Access Authorization Policy Training Material and Comprehension Quiz
3.1.16.b P Wireless Access Authorization Policy
3.1.16.b A Wireless Access Authorization Policy Artifact Template
3.1.16.b T Wireless Access Authorization Policy Training Material and Comprehension Quiz
3.1.16.b T Wireless Access Authorization Policy Training Material and Comprehension Quiz
3.1.17.a P Wireless Access Encryption Policy
3.1.17.a A Wireless Access Encryption Policy
3.1.17.a T Wireless Access Encryption Policy Training Material and Comprehension Quiz
3.1.17.b P Wireless Access Authentication Policy
3.1.17.b A WIRELESS ACCESS TO THE SYSTEM IS PROTECTED USING AUTHENTICATION
3.1.17.b T Wireless Access Authentication Policy Training Material and Comprehension Quiz
3.1.18.a P Mobile Device Identification for CUI Policy
3.1.18.a A Identification and Inventory of Mobile Devices Handling CUI
3.1.18.a T Mobile Device Identification for CUI Policy Training Material and Comprehension Quiz
3.1.18.b P Authorization of Mobile Device Connections Policy
3.1.18.b A THE CONNECTION OF MOBILE DEVICES IS AUTHORIZED.
3.1.18.b T Authorization of Mobile Device Connections Policy Training Material and Comprehension Quiz
3.1.18.c P Mobile Device Monitoring and Logging Policy
3.1.18.c A Mobile Device Monitoring and Logging Compliance Document
3.1.18.c T Mobile Device Monitoring and Logging Policy Training Material and Comprehension Quiz
3.1.19.a P Mobile Devices and Mobile Computing Platforms Handling CUI Policy
3.1.19.a A
3.1.19.a T Mobile Devices and Mobile Computing Platforms Handling CUI Policy Training Material and Comprehension Quiz
3.1.19.b P Mobile Device and Computing Platform Encryption Policy
3.1.19.b A Encryption Checklist
3.1.19.b T Mobile Device and Computing Platform Encryption Policy Training Material and Comprehension Quiz
3.1.20.a P Identification of Connections to External Systems
3.1.20.a A External System Connection Inventory
3.1.20.a A External Connection Inventory
3.1.20.a A External Connection Diagram
3.1.20.a A Connection Approval Request
3.1.20.a A Connection Monitoring Log
3.1.20.a T Identification of Connections to External Systems Training Material and Comprehension Quiz
3.1.20.b P Identification of the Use of External Systems
3.1.20.b A External System Use Policy
3.1.20.b A External System Use Request Form
3.1.20.b A External System Use Register
3.1.20.b T Identification of the Use of External Systems Training Material and Comprehension Quiz
3.1.20.c P Verification of Connections to External Systems
3.1.20.c A External System Connection Verification Checklist
3.1.20.c A External System Connection Verification Log
3.1.20.c A External Connection Verification Policy Document
3.1.20.c T Verification of Connections to External Systems Training Material and Comprehension Quiz
3.1.20.d P Verification of the Use of External Systems
3.1.20.d A External System Verification Policy
3.1.20.d A External System Use Request
3.1.20.d A External System Verificiation Checklist
3.1.20.d A External System Compliance Report
3.1.20.d A External System Usage Acknowledgement
3.1.20.d T Use of External Systems Verification Training Material and Comprehension Quiz
3.1.20.e P Controlled or Limited Connections to External Systems
3.1.20.e A External System Connection Approval Form
3.1.20.e A External Systems Connection Log
3.1.20.e A External Connection Monitoring Report
3.1.20.e A External Systems Termination Checklist
3.1.20.e A External Connection Policy Document
3.1.20.e T Controlledm/Limited Connections to External Systems Policy Training Material and Comprehension Quiz
3.1.20.f A Policy on Use of External Systems
3.1.20.f A Procedures for Requesting and Using External Systems
3.1.20.f A External Systems Register
3.1.20.f A External System Usage
3.1.20.f A Use of External System
3.1.20.f T Controlled/Limited Use of External Systems Training Material and Comprehension Quiz
3.1.21.a P Policy on Use of Portable Storage Devices Containing CUI
3.1.21.a A
3.1.21.a T Policy on Use of Portable Storage Devices Containing CUI Training Material and Comprehension Quiz
3.1.21.b P Secure Use of Portable Devices Containing Controlled Unclassified Information (CUI)
3.1.21.b A
3.1.21.b T Secure Use of Portable Devices Containing Controlled Unclassified Information (CUI) Training Material and Comprehension Quiz
3.1.21.c P Use of Organizational Portable Storage Devices Containing CUI on External Systems Policy
3.1.21.c A
3.1.21.c T Use of Organizational Portable Storage Devices Containing CUI on External Systems Policy Training Material and Comprehension Quiz-
3.1.22.a P Identification of Individuals Authorized to Post or Process Information on Publicly Accessible Systems Policy
3.1.22.a A Incident Log
3.1.22.a A Training Log
3.1.22.a A Public System Access Authorization Form
3.1.22.a A Authorized Individuals Register
3.1.22.a A Authorization Policy for Publicly Accessible Systems
3.1.22.a T Authorized Personnel Policy for Posting and Processing Information on Public Systems Training Material and Comprehension Quiz
3.1.22.b P Identification of Procedures to Ensure CUI Is Not Posted or Processed on Publicly Accessible Systems
3.1.22.b A Written Policy for CUI Protection
3.1.22.b A Procedure for Ensuring CUI is Not Exposed
3.1.22.b A CUI Monitoring and Audit Log
3.1.22.b A CUI User Awareness and Training Log
3.1.22.b A Incident Response Record
3.1.22.b T Identification of Procedures to Ensure CUI Is Not Posted or Processed on Publicly Accessible Systems Policy Training Material and Comprehension Quiz
3.1.22.c P Review Process Prior to Posting Content on Publicly Accessible Systems
3.1.22.c A Content Review Policy
3.1.22.c A Content Review Form
3.1.22.c A Content Review Checklist
3.1.22.c A Audit Log for Content Review
3.1.22.c T Reviewing Content Before Posting on Public Systems Training Material and Comprehension Quiz
3.1.22.d P Content on Publicly Accessible Systems is Reviewed to Ensure That It Does Not Include CUI
3.1.22.d A Publicly Accessible Information Review Policy
3.1.22.d A Content Review Checklist
3.1.22.d A Incident Report for Public Content with CUI
3.1.22.d A Public Content Approval Log
3.1.22.d A CUI Reviewer Training Log
3.1.22.d T Content on Publicly Accessible Systems is Reviewed to Ensure That It Does Not Include CUI Policy Training Material and Comprehension Quiz
3.1.22.e P Mechanisms to Remove and Address Improper Posting of CUI
3.1.22.e A Improper Response Procedure for Improper Posting of CUI
3.1.22.e A Employee Awareness and Training Log
3.1.22.e A CUI Monitoring and Removal Mechanism Checklist
3.1.22.e A Improper Posting Removal Log
3.1.22.e A Policy on Improper Posting of CUI

Need Help Simplifying Your Compliance Journey?

Discover how IntelComp Compliance Management System can help you achieve and maintain CMMC 2.0 compliance effortlessly.

Get a Demo