Requirement text: AC.4.025: Periodically review and update CUI program access permissions.
DISCUSSION FROM SOURCE: CMMC
Organizations must maintain the authorizations for access to CUI information on a regular
basis, considering whether existing authorizations are still needed or new authorization are
required, and update the authorizations accordingly. Reviews of access take into
consideration mission/business needs and maintain the organization’s implementation of
the principle of least privilege.
CMMC CLARIFICATION
Users must have organizational approval to read, write and process CUI associated with a
program, and the organization must maintain an authoritative list of who has been granted
access to CUI. Review and update ACLs and/or appropriate access methods periodically (as
determined by the organization, but at least annually) to maintain accurate permission sets
when employees' roles change.
Example
You manage IT for your organization. When a new employee joined the organization, they
were granted complete access to CUI for the project they were working on. A few months
later, their role changed when they are moved to a different project owned by the same
program manager but no longer requiring access to CUI. During the periodic review of the
access control configuration, you compare the results to the official permission baseline held
by the program manager. You determine that the employee should no longer have access to
CUI. You revoke the CUI access permissions of the user.
References
• CMMC