CMMCDocs.comAccess Control (AC) is the largest control family in NIST SP 800-171 Rev 2, with 22 security requirements. It is also one of the most frequently assessed areas in CMMC evaluations, because access control is fundamental — if you cannot control who accesses your systems and data, nothing else matters.
The Principle of Least Privilege
Multiple AC requirements revolve around the principle of least privilege: users should have only the minimum access necessary to perform their job functions. AC.L2-3.1.5 requires employing the principle of least privilege. AC.L2-3.1.6 requires using non-privileged accounts for non-security functions. AC.L2-3.1.7 prevents non-privileged users from executing privileged functions.
In practice, this means your regular users should not have local administrator rights on their workstations. System administrators should use separate accounts for daily work and administrative tasks. Access to CUI should be granted based on job role, not by default. And privilege escalation events should be logged and monitored.
Account Management
AC.L2-3.1.1 requires limiting system access to authorized users, processes, and devices. This is account management at its core: have a formal process for creating, modifying, and disabling accounts. When someone joins the company, they get an account with role-appropriate access. When they change roles, their access is adjusted. When they leave, their account is disabled immediately.
Conduct access reviews at least quarterly. Pull a list of all accounts from your identity provider, compare it to your current employee roster, and verify that each account's access level is appropriate. Document the review. This evidence is high-value for assessors.
Remote Access Controls
AC.L2-3.1.12 requires monitoring and controlling remote access sessions. AC.L2-3.1.14 requires routing remote access through managed access control points. If your employees work remotely — and most defense contractors have at least some remote workers — you need VPN or equivalent secure remote access, session monitoring and logging, automatic session timeout for inactive connections, and MFA for all remote access.
Remote Desktop Protocol (RDP) exposed directly to the internet is a critical finding. All remote access should go through a VPN concentrator, a zero-trust network access solution, or a virtual desktop infrastructure — never directly to the internal network.
Wireless Access
AC.L2-3.1.16 and AC.L2-3.1.17 address wireless access. You must authorize wireless access before allowing connection and protect wireless access using authentication and encryption. In practice, this means WPA3 or WPA2-Enterprise with RADIUS authentication for any wireless network within the CUI boundary. Guest wireless networks should be segmented from the corporate network with no path to CUI systems.
Mobile Device Controls
AC.L2-3.1.18 and AC.L2-3.1.19 cover mobile devices. If mobile devices (phones, tablets) access CUI, they must be managed and controlled. This typically requires a Mobile Device Management (MDM) solution that can enforce encryption, remote wipe, and access policies. If you do not allow CUI access on mobile devices, document that policy clearly and enforce it technically.