AC.L2-3.1.2 · NIST SP 800-171 3.1.2

Transaction & Function Control

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.2 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.the types of transactions and functions that authorized users are permitted to execute are defined
  • b.system access is limited to the defined types of transactions and functions for authorized users

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.2, an assessor uses these:

Examine

Access control policy; procedures addressing acces s enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records

Interview

Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers

Test

Mechanisms implementing access control policy

What it means, in context

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary . Other attributes required for authorizing access include restrictions on time-of-day, day-of- week, and point- of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. L imit access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete. Example Your team manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains CUI, you work wit h IT to set up your group ’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implementing this access control restricts access to CUI information unless specifically authorized. Potential Assessment Considerations • Are access control lists used to limit access to applications and data based on role and/or identity [a]? • Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who only performs word -processing cannot access developer tools) [b]?

What passing evidence looks like

A short role matrix (who may do what on which system) and proof the systems enforce it: group or role membership screenshots that match the matrix.

Common ways contractors fail AC.L2-3.1.2

  • !Everyone an admin fails this instantly. If your shop runs that way today, fix roles first, then capture evidence.
  • !The matrix must match reality. An assessor picks a user from the matrix and asks to see their actual permissions.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.2, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.2 questions, answered

How many points is CMMC requirement AC.L2-3.1.2 worth?+

AC.L2-3.1.2 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AC.L2-3.1.2 be placed on a POA&M?+

No. AC.L2-3.1.2 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.2 belong to?+

AC.L2-3.1.2 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.2
  • FAR Clause 52.204-21 b.1.ii