AC.L2-3.1.1[a] — Authorized Access Control (Authorized Users Are Identified)Domain: Access Control (AC) | Practice: AC.L2-3.1.1 | Objective ID: 3.1.1[a] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Authorized users are identified. |
Executive Summary (For Leadership and the Board)
Before any access control technology can do its job, your organization must be able to answer a deceptively simple question: “Who, exactly, is allowed in?” CMMC objective AC.L2-3.1.1[a] requires that authorized users be definitively identified — documented, approved, and maintained as an authoritative inventory. Without this, every downstream control (MFA, least privilege, monitoring, audit) is built on quicksand.
For organizations handling Controlled Unclassified Information (CUI) under DFARS 252.204-7012, this objective is one of the very first items a CMMC Third-Party Assessor (C3PAO) will evaluate. Failing this single objective during certification can stop the entire assessment in its tracks and put DoD contract awards at risk.
Business Question | What Leadership Must Confirm |
|---|---|
Do we have a single, authoritative list of authorized users? | An auditable inventory exists, is owned, and is reconciled on a defined cadence. |
Is the list approved by management before access is granted? | A documented authorization workflow with named approvers exists for every onboarding. |
Are former employees and stale accounts off the list? | Termination & access-review procedures remove users within the SLA defined in policy. |
Can we prove this to a C3PAO? | Evidence package: policy, user list, approval records, recertification logs, joiner/mover/leaver tickets. |
Executive Risk Lens: “Unknown user” risk — orphaned accounts, contractor accounts that outlived the contract, shared service accounts no one owns, and ex-employee credentials — is the #1 contributor to insider-enabled and credential-driven breaches in the Verizon DBIR.
How Authorization Should Flow
From request to authoritative identity record
1. Hiring / RequestHR / Sponsor 2. AuthorizationManager + Data Owner 3. Provision in IAMIdentity of record 4. Recertify Quarterly review 5. Deprovision Within SLA on exitAC.L2-3.1.1[a] — The Authorized User LifecycleEvery step produces audit evidence the C3PAO will request.Source of truth: Identity Provider (IdP) — Active Directory, Entra ID, Okta, or CyberSecureID
Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)
What the Objective Requires
NIST SP 800-171 Rev. 2 derives 3.1.1 from NIST SP 800-53 AC-2 (Account Management). CMMC 2.0 splits the parent practice into discrete assessment objectives; [a] is the very first one and is foundational. To pass, you must demonstrate — with artifacts — that:
A documented and management-approved list of authorized users exists for every system in the CMMC assessment scope.
The list distinguishes human users from service / non-person entities (NPEs) (scripts, service accounts, machine identities).
Each entry has a responsible owner, a business justification, and a last-reviewed date.
The list is reconciled against the actual identity providers (Active Directory, Entra ID, Okta, AWS IAM, etc.) on a defined cadence.
The list is updated when users join, move, or leave — commonly called the JML lifecycle.
Evidence Package a C3PAO Will Request
Artifact | Where It Typically Lives | Common Gotchas |
|---|---|---|
Access Control Policy | GRC / policy library | Boilerplate with no owner; no review date in last 12 months. |
Authorized User List (per system) | IAM platform export, AD reports, SailPoint, CyberSecureID | Includes disabled accounts; missing service accounts; no “system” column. |
Onboarding Approvals | ITSM tickets (ServiceNow, Jira, Freshservice) | Provisioning happened before approval; no approver named. |
Recertification / Access Reviews | IGA tool campaigns or signed manager attestations | Rubber-stamping — reviewers approving 100% with no changes. |
Termination / Offboarding Records | HRIS-to-IAM integration logs | SLA missed; contractor accounts left active for months. |
Reference Architecture — Authoritative Identity Source
Authoritative Identity Architecture for CMMC L2HRIS / People SystemWorkday, BambooHR, ADPIdentity Provider(SOURCE OF TRUTH)Entra ID / Okta / CyberSecureIDContractor OnboardingSponsored, time-boundCUI File SharesGCC High / M365Engineering / PLMVPN / ZTNAEvery CUI-bearing system MUST consume identity from the IdP. No local accounts. No exceptions.
Real-World Examples — What Goes Wrong
Example 1 — The “Ghost Contractor” Breach
A mid-tier defense supplier in the Mid-Atlantic was preparing for a CMMC Level 2 assessment. During a Cyberwatch pen test we ran, our team discovered 17 active Active Directory accounts belonging to contractors whose engagements had ended 6–36 months earlier. Three of those accounts still had VPN access; one had access to the engineering share that contained CUI under DFARS 252.204-7012. None of these users were on the company’s “authorized users” spreadsheet because the spreadsheet was last updated 9 months prior.
Lesson: The spreadsheet is not the source of truth — the IdP is. AC.L2-3.1.1[a] requires the actual list of authorized users to match the system of record. A C3PAO will reconcile your stated list against AD and ask you to explain every delta.
Example 2 — Service Accounts Nobody Owns
Public-domain breach forensics from incidents like the 2020 SolarWinds compromise and numerous ransomware events show a recurring pattern: over-privileged service accounts with no human owner. When the password is 8 years old, MFA is “impossible” because the application doesn’t support it, and the only person who knew the password retired in 2019, that account is a textbook AC.L2-3.1.1[a] failure. It is also a textbook initial-access vector for adversaries.
Lesson: Service / non-person identities count. Each one needs an owner of record, a documented business justification, and a recertification cadence.
Example 3 — The Acquisition That Failed CMMC
An aerospace prime acquired a smaller subcontractor and inherited three different identity domains. Each domain had its own “authorized users” list, none reconciled with HR. When the C3PAO arrived, the assessor asked a single question: “Show me the list of every person currently authorized to touch CUI on any of your systems.” The team produced four different answers in 90 minutes. The assessment was paused. Remediation took 5 months, delaying contract award.
Lesson: Mergers, acquisitions, and multi-tenant environments compound this risk. Consolidate to a single authoritative IdP — or accept that you are starting compliance over.
How Northern Data Solutions Helps You Pass AC.L2-3.1.1[a]
Service Offering | What It Does for AC.L2-3.1.1[a] |
|---|---|
Cyberwatch — Risk Identification | Third-party penetration testing, validation, and vulnerability identification surfaces orphaned accounts, stale contractors, and over-privileged service identities before a C3PAO does. Independent attestation that your authorized-user list reconciles with reality. |
Cyberwatch Advanced | Operationalizes the controls: Identity & Access Management with adaptive MFA (CyberSecureID), Principle of Least Privilege enforcement, Zero Trust Architecture, attack-surface visibility, password management & rotation, and the cybersecurity training platform that produces signed employee attestations — the evidence assessors actually want. |
Compliance-as-a-Service | Manages your SSP, POA&Ms, control evidence, and recertification campaigns inside one platform. Maps every artifact to the specific NIST 800-171 / CMMC objective — including AC.L2-3.1.1[a] — so you walk into your assessment with the binder pre-built. |
vCSO (Virtual CSO) | Executive-level guidance for boards and leadership on identity strategy, scope decisions (CUI boundary), C3PAO selection, and remediation prioritization across CMMC, FTC Safeguards, and PCI. |
Engagement model: Most clients begin with a Cyberwatch baseline assessment (1–2 weeks), then move into Cyberwatch Advanced and Compliance-as-a-Service to remediate and harvest evidence ahead of their CMMC Joint Surveillance or full L2 assessment.
Related Articles in CyberKnowledge
External References & Authoritative Sources
NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
NIST SP 800-53 Rev. 5 — AC-2 Account Management (parent control)
DFARS 252.204-7012 — Safeguarding Covered Defense Information
Verizon Data Breach Investigations Report (DBIR) — credential & identity-driven breach trends
Are You Ready for the Assessor? — 10-Point Readiness Check
We have a single authoritative IdP for every system in the CMMC scope.
HRIS is the upstream source for all human identities and triggers JML automatically.
Contractor accounts are time-bound and sponsored.
Service / non-person accounts each have a named owner and a recertification cadence.
The Access Control Policy names this objective explicitly and was reviewed within 12 months.
Onboarding tickets show approval before provisioning.
Quarterly access reviews are run and produce signed evidence.
Termination SLA is documented and met — pull 10 random terminations and prove it.
The “authorized user list” produced for the assessor matches the IdP within tolerance.
A vCSO has reviewed the package against the CMMC Assessment Guide L2 v2.13.
Next Step: If you cannot confidently check all 10 boxes above, contact your Northern Data Solutions vCSO to schedule a Cyberwatch identity-focused assessment. We will deliver a gap report mapped directly to AC.L2-3.1.1[a] and the remaining 14 access-control objectives.
Tags: AC.L2-3.1.1[a], cmmc