AC.L2-3.1.1[c] — Authorized Access Control (Devices and Other Systems Authorized to Connect Are Identified)Domain: Access Control (AC) | Practice: AC.L2-3.1.1 | Objective ID: 3.1.1[c] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Devices (and other systems) authorized to connect to the system are identified. |
Executive Summary (For Leadership and the Board)
You cannot defend what you cannot see. Objective AC.L2-3.1.1[c] requires a definitive inventory of every device and connected system authorized to interact with the CUI environment — workstations, laptops, mobile phones, IoT, OT/ICS, MFPs, smart TVs in conference rooms, third-party SaaS integrations, and external partner systems. If a device can talk to a CUI-bearing system, it must be on the list, owned, hardened, and recertified.
For executives, the cleanest test is the “walk the floor” test: pick a Wi-Fi SSID and a wired port, and ask, "What plugs in here, and where is that documented?" If the answer is a stale spreadsheet or a shrug, the organization will fail this objective and is exposed to the Target / Capital One / shadow-IT class of breaches.
Business Question | What Leadership Must Confirm |
|---|---|
Do we have a single, current asset inventory across all device classes? | An authoritative inventory exists, is owned, and reconciles with what the network actually sees. |
Can unauthorized devices connect today? | Network Access Control (NAC), 802.1X, or device-certificate enforcement is in place on every CUI-adjacent network segment. |
Are external partners and SaaS integrations counted? | Vendor / SaaS / partner-system connections are inventoried and reviewed. |
Are we ready to show the C3PAO our list and prove it matches the network? | Inventory-vs-network reconciliation is run at a defined cadence. |
Executive Risk Lens: The Target breach, the Capital One incident, and countless ransomware events trace back to a forgotten or unmanaged device or third-party connection. Unmanaged devices are the most common backdoor into CUI environments.
How Authorization Should Flow
From request to authoritative record
Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)
What the Objective Requires
Objective [c] aligns with NIST SP 800-53 CM-8 (System Component Inventory), AC-3 (Access Enforcement), and IA-3 (Device Identification & Authentication). The CMMC scope includes the assessment boundary diagram from your SSP. Every device or system capable of connecting — not just those that should — must be inventoried.
A device inventory exists per network segment in CMMC scope, including manufacturer, model, OS, owner, location, and connection method.
The inventory distinguishes corporate-managed, BYOD, contractor, IoT/OT, and third-party / partner devices.
The inventory is reconciled with NAC logs, DHCP, ARP, EDR/MDM, and network discovery tools at a defined cadence.
Each device authentication mechanism (802.1X EAP-TLS, device cert, certificate-based VPN, etc.) is documented.
External / partner system connections are documented with Interconnection Security Agreements (ISAs) where applicable.
BYOD policy explicitly addresses CUI — and ideally excludes BYOD from the CUI scope.
Decommissioning procedures wipe and remove devices from the inventory and revoke certificates.
Evidence Package a C3PAO Will Request
Artifact | Where It Typically Lives | Common Gotchas |
|---|---|---|
Device / Asset Inventory | Intune, Jamf, CMDB, ServiceNow, CyberSecureID | Workstation count off by 20% from EDR; no IoT entries; no MFP entries. |
NAC / 802.1X Enforcement Records | Cisco ISE, Aruba ClearPass, Forescout | “Monitor mode” only — no actual blocking; guest VLAN allows CUI server access. |
MDM / EDR Coverage Reports | CrowdStrike, Defender, SentinelOne, Intune | Coverage gap of 5–15% — the gap is exactly where the unmanaged devices live. |
Interconnection Agreements (ISAs) | Vendor / partner agreements | “Site-to-site VPN” with no ISA, no scope, no review. |
Asset Decommission Records | Disposal / wipe certificates | Devices “retired” in the CMDB but still pulling DHCP. |
Reference Architecture — Authoritative Source
Real-World Examples — What Goes Wrong
Example 1 — The HVAC Lesson (Target, 2013, Re-Lived in DIB)
A defense supplier let an HVAC vendor connect to its “office” network for remote monitoring. The office network had a flat path to the engineering segment that held CUI. During a Cyberwatch pen test, our team pivoted from the HVAC vendor’s VPN through to the engineering subnet in under 40 minutes. The HVAC interconnection was not on any device or system inventory.
Lesson: Vendor and partner systems are devices for purposes of AC.L2-3.1.1[c]. They must be inventoried, segmented, and bound by an Interconnection Security Agreement.
Example 2 — The Conference-Room Smart TV
A smart TV with a Chrome cast received auto-updates over the corporate VLAN that also routed to a CUI file share. It maintained an outbound connection to a foreign-hosted update server. It was not in any inventory. After a media report on similar TV vulnerabilities, the firm discovered the device had been beaconing for 18 months.
Lesson: Every device that can speak IP must be inventoried and segmented. IoT belongs on its own VLAN with no path to CUI — full stop.
Example 3 — BYOD on the CUI Mobile Network
An executive’s personal iPad was enrolled in M365 with full mailbox access. The mailbox contained CUI-marked attachments. The iPad was lost on a flight. No remote wipe could be issued because BYOD enrollment was “light-touch” and the device was not in MDM. Reportable cyber incident under DFARS 252.204-7012 within 72 hours.
Lesson: BYOD and CUI are a difficult combination. The cleanest path to AC.L2-3.1.1[c] is to scope BYOD out of CUI entirely and issue managed devices for that work.
How Northern Data Solutions Helps You Pass AC.L2-3.1.1[c]
Service Offering | What It Does for AC.L2-3.1.1[c] |
|---|---|
Cyberwatch — Risk Identification | Third-party penetration testing, validation, and vulnerability identification surfaces gaps related to AC.L2-3.1.1[c] before a C3PAO does. Independent attestation that controls match reality. |
Cyberwatch Advanced | Operationalizes the controls: Identity & Access Management with adaptive MFA (CyberSecureID), Principle of Least Privilege, Zero Trust Architecture, attack-surface visibility, password management & rotation, and the cybersecurity training platform that produces signed employee attestations — the evidence assessors actually want. |
Compliance-as-a-Service | Manages your SSP, POA&Ms, control evidence, and recertification campaigns inside one platform. Maps every artifact to the specific NIST 800-171 / CMMC objective — including AC.L2-3.1.1[c] — so you walk into your assessment with the binder pre-built. |
vCSO (Virtual CSO) | Executive-level guidance for boards and leadership on identity strategy, scope decisions (CUI boundary), C3PAO selection, and remediation prioritization across CMMC, FTC Safeguards, and PCI. |
Engagement model: Most clients begin with a Cyberwatch baseline assessment (1–2 weeks), then move into Cyberwatch Advanced and Compliance-as-a-Service to remediate and harvest evidence ahead of their CMMC Joint Surveillance or full L2 assessment.
Related Articles in CyberKnowledge
External References & Authoritative Sources
NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
NIST SP 800-53 Rev. 5 — AC-2 Account Management (parent control)
DFARS 252.204-7012 — Safeguarding Covered Defense Information
Are You Ready for the Assessor? — 10-Point Readiness Check
A single authoritative device inventory exists and reconciles within 1% of network discovery.
Every CUI-adjacent network segment enforces 802.1X or equivalent device authentication.
IoT, OT, MFPs, and conference-room equipment are inventoried and segmented away from CUI.
BYOD is either out-of-scope for CUI or fully MDM-enrolled with conditional access.
Vendor / partner system connections have ISAs and named owners.
MDM and EDR coverage exceeds 99% on in-scope endpoints.
Decommissioned devices are wiped, revoked, and removed within SLA.
DHCP / ARP / NAC logs feed the SIEM and trigger alerts on unknown MACs.
Network diagram in the SSP matches reality (verified annually).
A Cyberwatch attack-surface scan has been run within the last 12 months and findings are closed.
Next Step: If your device inventory and your network do not agree, contact your Northern Data Solutions vCSO to schedule a Cyberwatch attack-surface visibility engagement. We will reconcile your inventory to reality and produce a CMMC-ready evidence package.
Tags: AC.L2-3.1.1[c], cmmc