AC.L2-3.1.1[b] — Authorized Access Control (Processes Acting on Behalf of Authorized Users Are Identified)Domain: Access Control (AC) | Practice: AC.L2-3.1.1 | Objective ID: 3.1.1[b] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Processes acting on behalf of authorized users are identified. |
Executive Summary (For Leadership and the Board)
Modern enterprises run on non-person entities (NPEs): service accounts, scheduled tasks, RPA bots, CI/CD pipelines, API integrations, scripts, and machine identities. Each one acts on behalf of an authorized human and inherits some or all of that human’s privileges. CMMC objective AC.L2-3.1.1[b] demands that you can produce a definitive, owned, and reconciled inventory of these process identities — just as you would for human users.
For boards and executives, the question to ask is uncomfortably simple: If a service account took an action against CUI tonight, who is the named human owner accountable for what it did? If the answer is "no one" or "we’d have to investigate," the organization is not ready for a CMMC L2 assessment and is exposed to the most common ransomware initial-access vector in the industry.
Business Question | What Leadership Must Confirm |
|---|---|
Do we have a definitive inventory of every service account, bot, and pipeline? | An NPE inventory is owned, current, and tied to the IdP / vault. |
Does every NPE have a named human owner? | Each entry has an accountable owner, business justification, and review date. |
Are NPE secrets vaulted, rotated, and audited? | Privileged Access Management (PAM) covers all NPEs in scope — no plaintext secrets in code or scheduled tasks. |
Can we revoke an NPE within minutes if compromised? | Documented break-glass and rotation procedures, tested at least annually. |
Executive Risk Lens: Compromised service accounts and machine identities are the dominant pathway in modern ransomware and supply-chain incidents (Verizon DBIR, Mandiant M-Trends). An untracked NPE with privileged access to CUI is a single-point-of-catastrophic-failure.
How Authorization Should Flow
From request to authoritative record
Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)
What the Objective Requires
NIST SP 800-171 3.1.1 maps to NIST SP 800-53 AC-2 (Account Management) and IA-9 (Service Identification & Authentication). Objective [b] shifts focus from human identities to processes acting on behalf of users. Practically, that means service accounts in Active Directory, managed identities in Entra/Azure, IAM roles in AWS, service principals, OAuth client credentials, scheduled tasks, RPA bot accounts, CI/CD runners, integration users in SaaS, and any script credential that can act against a CUI system.
A documented and management-approved NPE inventory exists per system in CMMC scope.
Each NPE has a named human owner, business justification, source application, and review cadence.
Secrets are stored in a vault / PAM (CyberArk, HashiCorp Vault, AWS Secrets Manager, CyberSecureID) — never in source code, GPOs, or scheduled-task plaintext.
Secrets are rotated on a defined cadence and on owner departure.
Each NPE has a least-privilege scope — bound to the smallest possible permission set.
The inventory is reconciled against AD / Entra / cloud IAM at least quarterly.
Each NPE produces auditable telemetry — logs of what it did, when, and from where (AU.L2-3.3.1 alignment).
Evidence Package a C3PAO Will Request
Artifact | Where It Typically Lives | Common Gotchas |
|---|---|---|
NPE / Service Account Inventory | PAM, IGA, AD reports, CyberSecureID | Kerberoastable accounts; SPNs no one owns; passwords > 1 year old. |
NPE Onboarding Records | ITSM tickets with named owner approval | “Generic” service account requests — no owner, no justification. |
Vault / PAM Audit Logs | CyberArk, Vault, Secrets Manager | Plaintext secrets in Group Policy Preferences, code repos, or runbooks. |
Quarterly NPE Recertification | IGA campaign export | Bots that “need” Domain Admin with no documented reason. |
Decommission / Rotation Records | Change tickets + vault rotation logs | Rotation skipped because “the app would break.” |
Reference Architecture — Authoritative Source
Real-World Examples — What Goes Wrong
Example 1 — The Kerberoastable Backup Account
During a Cyberwatch pen test we captured a single Kerberos TGS for an old SQL backup service account that had been promoted to Domain Admin in 2018 “temporarily” and never demoted. The password was a 12-character dictionary phrase set 6 years prior. Within four hours we cracked it offline and demonstrated full domain compromise — including the CUI engineering share. None of this NPE was on the client’s service-account inventory.
Lesson: NPEs decay silently. Without quarterly reconciliation against AD — including SPN scans — you will not know which service accounts have become weapons.
Example 2 — Hardcoded Secrets in a Build Pipeline
A CI/CD pipeline at a defense subcontractor contained a DEPLOY_TOKEN environment variable hardcoded into a Jenkinsfile that had been committed to a private GitHub repo. When the repo was briefly made public for a contractor onboarding, the token was scraped within 90 minutes. The token had write access to a production system holding ITAR-relevant technical data. Detection took three weeks.
Lesson: Pipelines and scripts are NPEs. CMMC AC.L2-3.1.1[b] requires their credentials to live in a vault, be short-lived, and be rotated on disclosure — never in source code.
Example 3 — The OAuth App That Outlived Its Purpose
A vendor onboarding tool was granted an OAuth integration to Microsoft 365 with Mail.ReadWrite.All tenant-wide consent in 2022. The vendor relationship ended in 2023. The OAuth grant remained live, with full mailbox access, until a Cyberwatch attack-surface scan flagged it in 2024. Eighteen months of unmonitored access to a CUI-bearing tenant.
Lesson: OAuth grants, API tokens, and SaaS-to-SaaS integrations are NPEs. They must be inventoried, owned, recertified, and revoked on lifecycle events — same standard as a human user.
How Northern Data Solutions Helps You Pass AC.L2-3.1.1[b]
Service Offering | What It Does for AC.L2-3.1.1[b] |
|---|---|
Cyberwatch — Risk Identification | Third-party penetration testing, validation, and vulnerability identification surfaces gaps related to AC.L2-3.1.1[b] before a C3PAO does. Independent attestation that controls match reality. |
Cyberwatch Advanced | Operationalizes the controls: Identity & Access Management with adaptive MFA (CyberSecureID), Principle of Least Privilege, Zero Trust Architecture, attack-surface visibility, password management & rotation, and the cybersecurity training platform that produces signed employee attestations — the evidence assessors actually want. |
Compliance-as-a-Service | Manages your SSP, POA&Ms, control evidence, and recertification campaigns inside one platform. Maps every artifact to the specific NIST 800-171 / CMMC objective — including AC.L2-3.1.1[b] — so you walk into your assessment with the binder pre-built. |
vCSO (Virtual CSO) | Executive-level guidance for boards and leadership on identity strategy, scope decisions (CUI boundary), C3PAO selection, and remediation prioritization across CMMC, FTC Safeguards, and PCI. |
Engagement model: Most clients begin with a Cyberwatch baseline assessment (1–2 weeks), then move into Cyberwatch Advanced and Compliance-as-a-Service to remediate and harvest evidence ahead of their CMMC Joint Surveillance or full L2 assessment.
Related Articles in CyberKnowledge
External References & Authoritative Sources
NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
NIST SP 800-53 Rev. 5 — AC-2 Account Management (parent control)
DFARS 252.204-7012 — Safeguarding Covered Defense Information
Are You Ready for the Assessor? — 10-Point Readiness Check
We can produce a single NPE inventory across AD, Entra, AWS IAM, and major SaaS within one business day.
Every NPE has a named human owner who is currently employed and accountable.
All NPE secrets live in a PAM/vault — verified by code-repo and GPO scans.
Secrets rotation is automated where possible and proven in audit logs.
Service accounts use the lowest-possible privilege; Domain Admin NPEs are zero or fully justified.
Quarterly recertification of NPEs is run and produces signed evidence.
OAuth and SaaS-to-SaaS integrations are reviewed and revoked on lifecycle events.
An NPE break-glass / kill-switch procedure exists and is tested annually.
CI/CD runners use short-lived, OIDC-federated credentials — not long-lived static tokens.
Logs from NPE actions feed the SIEM with sufficient detail to attribute actions to the named human owner.
Next Step: If your organization cannot produce a complete, owned, vaulted NPE inventory in 24 hours, schedule a Cyberwatch service-account assessment with your Northern Data Solutions vCSO. We will deliver a gap report mapped to AC.L2-3.1.1[b] and IA.L2-3.5.x objectives.
Tags: AC.L2-3.1.1[b], cmmc