CMMC AC.1.002 – Assign Information System User Rights

CMMC AC.1.002 – Assign Information System User Rights

Requirement text: AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of -origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

CMMC CLARIFICATION
Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs.

Example: You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks

Get Audit Ready

How to pass? Your non-IT employees should only have “user” rights to their computer, not “admin” rights. Use permissions in your business programs and file shares to limit employees from viewing sensitive information about your federal contracts.

How to fail this? Everyone has “administrator” rights on computers and devices.

References
• FAR Clause 52.204-21 b.1.ii
• NIST SP 800-171 Rev 1 3.1.2
• CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11
• NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
• CERT RMM v1.2 TM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17

    • Related Articles

    • System and Information Integrity: SP 800-171 Security Family 3.14

      Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...

    • CMMC AC.3.019 - Terminate User Sessions

      Requirement text: AC.3.019: Terminate (automatically) user sessions after a defined condition. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement addresses the termination of user-initiated logical sessions in contrast to the ...

    • CMMC SC.3.181 - Separate User Functionality from System Management Functionality

      Requirement text: SC.3.181: Separate user functionality from system management functionality. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System management functionality includes functions necessary to administer databases, network components, ...

    • CMMC AC.1.001 – Limit Information System Access

      Requirement text: AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Access control ...

    • CMMC AU.2.041 - Ensure System User Attribution

      Requirement text: AU.2.041: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement ensures that the ...