CMMCDocs.comAC.L2-3.1.1
Also known as: Limit system access requirement
The first NIST SP 800-171 requirement: limit system access to authorized users, processes acting on behalf of authorized users, and devices.
AC.L2-3.1.1 is the foundational access control requirement: 'Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems).'
In practice, this requires the contractor to maintain an authoritative list of who is allowed to access in-scope systems, enforce access controls technically (typically through an identity provider), and document the authorization process.
A C3PAO will ask for the user provisioning and deprovisioning workflow, the authorized user list for each in-scope system, and live evidence that the access controls are enforced (a denied login attempt, an account lockout, an MFA challenge).
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account