CMMCDocs.comHome / Glossary / Access Control (AC) Family
Access Control (AC) Family
Also known as: AC family · Access Control family
The Access Control family covers 22 NIST SP 800-171 requirements governing how users and devices are authorized to access CUI.
The Access Control (AC) family is the largest control family in NIST SP 800-171 Rev 2, with 22 security requirements. It governs how users, processes, and devices are authorized to access Controlled Unclassified Information and the systems that handle it.
Key AC requirements include account provisioning and deprovisioning (AC.L2-3.1.1, AC.L2-3.1.2), separation of duties (AC.L2-3.1.4), least privilege (AC.L2-3.1.5), session lock and termination (AC.L2-3.1.10, AC.L2-3.1.11), multifactor authentication for remote and privileged access (AC.L2-3.1.13), and monitoring of remote access sessions (AC.L2-3.1.12).
The AC family is typically owned by the IT lead or identity management team. A C3PAO will interview the AC family owner about account reviews, separation of duties, and remote access controls — and will often ask to watch a real account review happen in the IdP during the assessment.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account