CMMC Access Control Domain: Here are the Basics

Last Updated on November 16, 2020

The Cybersecurity Maturity Model Certification (CMMC) framework organizes cybersecurity best practices into 17 domains. Each domain specifies various capabilities, processes and practices across five maturity levels, fundamental to establishing basic to advanced cyber hygiene.

CMMC references domains alphabetically by name, making Access Control (AC) the first domain. The Access Control domain is one of the six domains involved in Level 1, with a total of 26 practices organized into 4 capabilities spanning all 5 CMMC levels, Access Control is one of the most significant CMMC domains, which includes practices as critical as limiting access to authorized users or devices, controlling the flow of CUI, and introduces the use of encryption at various layers of the organization handling, storing, or transmitting CUI.

What does the CMMC access control domain cover?

Access control is the set of process and procedures for granting or denying access in accordance to pre-established rules, based on identification, authorization, and authentication.

The purpose of the controls in this domain is to limit access to your protected data, systems, and locations by regulating who can log on/enter (locally, remotely, or physically), which devices are authorized to connect and to which locations what can they do once they gain access to a system or to a location, who has privileges to access what resources, and what can they do with their level of access, etc.

Cybersecurity areas that these controls cover include enforcing least privilege, separation of duties and account management, limiting failed logon attempts, automatic session termination, using encryption for remote access sessions, encrypting Controlled Unclassified Information () on mobile devices, and more.

What are the capabilities within the CMMC access control domain?

This domain has four capabilities:

  1. C001: Establish system access requirements
    This capability is all about ensuring that only those entities that should have access to data and systems can get access.
  2. C002: Control internal system access
    This capability concerns principles, which are applicable for maturity levels 2 and above.
  3. C003: Control remote system access
    This is where controls to support secure remote working come into play.
  4. C004: Limit data access to authorized users and processes
    Key controls within this capability include encrypting CUI on mobile platforms (required at Level 3 and above).

How many access control practices do I need to worry about?

At Level 1 (the basic level mandated for any DoD supplier), there are 4 practices within the access control domain. At Level 2 there are an additional 10 practices for a total of 14. At Level 3 (the minimum requirement for handling CUI), there are 22 practices altogether. At Level 4 there are 3 more practices for a total of 25. If you need to achieve CMMC Level 5, you’ll need to comply with all 26 access control practices.

Next steps

Access control is a far-reaching domain that includes important areas like remote work environments, enforcing least privilege data access and encrypting CUI. If you have questions about how these practices and processes relate to your organization, Pivot Point Security is here to help.

To get an expert opinion about your current security posture and where to focus your CMMC compliance efforts, .

We are a trusted source of simple, practical, and actionable information security guidance.