Access Control
Access Control is about making sure only the right people, and the right systems, can reach CUI, and only for what they actually need. It is the largest family in Level 2 for a reason: most breaches start with access that was too broad or never removed.
The 22 Access Control requirements
70 assessment objectives across this family.
- 3.1.1Authorized Access ControlLimit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).5 pt✕ POA&M
- 3.1.2Transaction & Function ControlLimit system access to the types of transactions and functions that authorized users are permitted to execute.5 pt✕ POA&M
- 3.1.3Control CUI FlowControl the flow of CUI in accordance with approved authorizations.1 pt
- 3.1.4Separation Of DutiesSeparate the duties of individuals to reduce the risk of malevolent activity without collusion.1 pt
- 3.1.5Least PrivilegeEmploy the principle of least privilege, including for specific security functions and privileged accounts.3 pt✕ POA&M
- 3.1.6Non-privileged Account UseUse non-privileged accounts or roles when accessing nonsecurity functions.1 pt
- 3.1.7Privileged FunctionsPrevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.1 pt
- 3.1.8Unsuccessful Logon AttemptsLimit unsuccessful logon attempts.1 pt
- 3.1.9Privacy & Security NoticesProvide privacy and security notices consistent with applicable CUI rules.1 pt
- 3.1.10Session LockUse session lock with pattern- hiding displays to prevent access and viewing of data after a period of inactivity.1 pt
- 3.1.11Session TerminationTerminate (automatically) a user session after a defined condition.1 pt
- 3.1.12Control Remote AccessMonitor and control remote access sessions.5 pt✕ POA&M
- 3.1.13Remote Access ConfidentialityEmploy cryptographic mechanisms to protect the confidentiality of remote access sessions.5 pt✕ POA&M
- 3.1.14Remote Access RoutingRoute remote access via managed access control points.1 pt
- 3.1.15Privileged Remote AccessAuthorize remote execution of privileged commands and remote access to security-relevant information.1 pt
- 3.1.16Wireless Access AuthorizationAuthorize wireless access prior to allowing such connections.5 pt✕ POA&M
- 3.1.17Wireless Access ProtectionProtect wireless access using authentication and encryption.5 pt✕ POA&M
- 3.1.18Mobile Device ConnectionControl connection of mobile devices.5 pt✕ POA&M
- 3.1.19Encrypt CUI On MobileEncrypt CUI on mobile devices and mobile computing platforms.3 pt✕ POA&M
- 3.1.20External ConnectionsVerify and control/limit connections to and use of external systems.1 pt✕ POA&M
- 3.1.21Portable Storage UseLimit use of portable storage devices on external systems.1 pt
- 3.1.22Control Public InformationControl CUI posted or processed on publicly accessible systems.1 pt✕ POA&M
Build Access Control, and all 14 families, with an officer
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
How many CMMC Level 2 requirements are in Access Control?+
The Access Control family (AC) has 22 of the 110 CMMC Level 2 requirements, assessed against 70 objectives from NIST SP 800-171A.
What is the Access Control family about?+
Access Control is about making sure only the right people, and the right systems, can reach CUI, and only for what they actually need. It is the largest family in Level 2 for a reason: most breaches start with access that was too broad or never removed.