Access ControlCMMC Level 2

NIST 800-171 3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to execute

Overview

This control requires organizations to limit system access to the types of transactions and functions that authorized users are permitted to execute. It is part of the Access Control family and is required for CMMC Level 2 certification. Defense contractors handling CUI must implement this control to protect sensitive information and demonstrate compliance during assessments.

Assessment Objectives

1Determine if the organization has defined policies and procedures to limit system access to the types of transactions and functions that authorized users are permitted to execute
2Determine if the organization implements mechanisms to limit system access to the types of transactions and functions that authorized users are permitted to execute
3Verify that the implementation is consistent with organizational policies and NIST 800-171 requirements

Implementation Guidance

Implement this control by establishing documented policies and procedures, deploying appropriate technical controls, and maintaining evidence of ongoing compliance. Regularly review and test the implementation to ensure effectiveness and address any gaps identified during assessments.

Common Audit Gaps

!No documented policy or procedure addressing this requirement

!Implementation exists but lacks evidence of consistent enforcement

!Monitoring and review processes are informal or undocumented

Related DFARS Clauses

DFARS 252.204-7012 DFARS 252.204-7019 DFARS 252.204-7020 DFARS 252.204-7021

Frequently Asked Questions

What is NIST 800-171 control 3.1.2?

NIST 800-171 control 3.1.2 requires organizations to limit system access to the types of transactions and functions that authorized users are permitted to execute. This control is part of the Access Control family and is required for CMMC Level 2 certification.

How do you implement NIST 800-171 3.1.2?

To implement control 3.1.2, establish documented policies, deploy technical controls to limit system access to the types of transactions and functions that authorized u, and maintain evidence of compliance. Regular testing and monitoring are essential.

What evidence is needed for NIST 800-171 3.1.2?

Evidence for control 3.1.2 typically includes written policies and procedures, system configuration documentation, audit logs showing enforcement, and records of periodic reviews. Assessors will look for both documentation and technical implementation.

Related Controls

3.1.1|Limit system access to authorized users, processes acting on behalf of authorized users, and devices

Access Control

3.1.3|Control the flow of CUI in accordance with approved authorizations

Access Control

3.5.1|Identify system users, processes acting on behalf of users, and devices

Identification and Authentication

More in Access Control

3.1.1 — Limit system access to authorized users, processes acting on behalf of authorized users, and devices 3.1.3 — Control the flow of CUI in accordance with approved authorizations 3.1.4 — Separate the duties of individuals to reduce the risk of malevolent activity 3.1.5 — Employ the principle of least privilege, including for specific security functions and privileged accounts 3.1.6 — Use non-privileged accounts or roles when accessing nonsecurity functions

Free Compliance Tools

🛡

CUI Auditor

Audit your tech stack for CUI handling gaps across 80+ enterprise tools.

🗺

CUI Flow Mapper

Map how CUI flows through your organization and identify spillage risks.

💰

CMMC Cost Estimator

Estimate your CMMC certification cost by level, company size, and readiness.

Check your compliance for 3.1.2

Run our free CUI Auditor to see if your tools meet this control's requirements.

Audit Your Tech Stack Free

Track NIST 800-171 3.1.2 regulatory updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

← All NIST 800-171 Controls

Access ControlCMMC Level 2

NIST 800-171 3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to execute

Overview

Assessment Objectives

1Determine if the organization has defined policies and procedures to limit system access to the types of transactions and functions that authorized users are permitted to execute
2Determine if the organization implements mechanisms to limit system access to the types of transactions and functions that authorized users are permitted to execute
3Verify that the implementation is consistent with organizational policies and NIST 800-171 requirements

Implementation Guidance

Common Audit Gaps

!No documented policy or procedure addressing this requirement

!Implementation exists but lacks evidence of consistent enforcement

!Monitoring and review processes are informal or undocumented

Related DFARS Clauses

DFARS 252.204-7012 DFARS 252.204-7019 DFARS 252.204-7020 DFARS 252.204-7021

Frequently Asked Questions

What is NIST 800-171 control 3.1.2?

How do you implement NIST 800-171 3.1.2?

What evidence is needed for NIST 800-171 3.1.2?

Related Controls

3.1.1|Limit system access to authorized users, processes acting on behalf of authorized users, and devices

Access Control

3.1.3|Control the flow of CUI in accordance with approved authorizations

Access Control

3.5.1|Identify system users, processes acting on behalf of users, and devices

Identification and Authentication

Free Compliance Tools

🛡

CUI Auditor

Audit your tech stack for CUI handling gaps across 80+ enterprise tools.

🗺

CUI Flow Mapper

Map how CUI flows through your organization and identify spillage risks.

💰

CMMC Cost Estimator

Estimate your CMMC certification cost by level, company size, and readiness.

Check your compliance for 3.1.2

Run our free CUI Auditor to see if your tools meet this control's requirements.

Audit Your Tech Stack Free

Track NIST 800-171 3.1.2 regulatory updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

← All NIST 800-171 Controls

NIST 800-171 3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to execute

Overview

Assessment Objectives

Implementation Guidance

Common Audit Gaps

Related DFARS Clauses

Frequently Asked Questions

What is NIST 800-171 control 3.1.2?

How do you implement NIST 800-171 3.1.2?

What evidence is needed for NIST 800-171 3.1.2?

Related Controls

More in Access Control

Related Guides

Free Compliance Tools

Discussion

NIST 800-171 3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to execute

Overview

Assessment Objectives

Implementation Guidance

Common Audit Gaps

Related DFARS Clauses

Frequently Asked Questions

What is NIST 800-171 control 3.1.2?

How do you implement NIST 800-171 3.1.2?

What evidence is needed for NIST 800-171 3.1.2?

Related Controls

More in Access Control

Related Guides

Free Compliance Tools

Discussion