AC.L2-3.1.1[d]

AC.L2-3.1.1[d] — Authorized Access Control (System Access Is Limited to Authorized Users)

Domain: Access Control (AC) | Practice: AC.L2-3.1.1 | Objective ID: 3.1.1[d] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2

Assessment Objective:

System access is limited to authorized users.

Executive Summary (For Leadership and the Board)

Objectives [a]–[c] require you to identify who, what processes, and what devices are authorized. Objective [d] raises the bar to enforcement: the systems themselves must technically prevent access by anyone who is not on the authorized list. Identification without enforcement is theater.

For executives, the meaningful question is: "If a former employee tried to log in to a CUI system from their home Wi-Fi tonight, what stops them?" The acceptable answer is a chain of enforcement: their account is disabled in the IdP, MFA would fail anyway, conditional access blocks the geography or device posture, and any attempt is logged and alerted. If the answer is “they wouldn’t,” you have a credential-stuffing risk and an AC.L2-3.1.1[d] failure.

Business Question	What Leadership Must Confirm
Are unauthorized users technically blocked, not just ‘not on the list’?	Authentication enforcement is in place on every CUI system — no local accounts, no shared accounts.
Is MFA universal on CUI access paths?	Phishing-resistant MFA is required for every authentication to a CUI system.
Are blocked attempts visible?	Failed-logon and lockout events feed the SIEM and trigger alerts.
Can the C3PAO see proof?	Authentication logs, conditional-access policies, and access-attempt evidence are retained and producible on demand.

Executive Risk Lens: Compromised credentials remain the #1 initial-access vector across all major breach reports. AC.L2-3.1.1[d] is the technical barrier between an attacker holding a credential and the CUI itself.

How Authorization Should Flow

From request to authoritative record

Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)

What the Objective Requires

Objective [d] maps to NIST SP 800-53 AC-3 (Access Enforcement), AC-7 (Unsuccessful Logon Attempts), and IA-2 (Identification & Authentication of Organizational Users). Where [a] required a list, [d] requires policy enforcement points (PEPs): identity-aware proxies, conditional access, MFA, and authentication logging on every CUI-bearing system.

Every CUI-bearing system federates to the IdP — no local accounts, no exceptions documented in a POA&M.
Phishing-resistant MFA (FIDO2, certificate-based, or strong push with number-matching) is required for all CUI authentication.
Conditional access evaluates user, device posture, network, and risk on every authentication.
Disabled / terminated users cannot authenticate — verified by sampling.
Lockout and throttling are configured to defeat password-spraying and credential-stuffing.
Authentication logs are centralized in the SIEM with retention sufficient for CMMC and DFARS reporting.
Shared / generic accounts are eliminated or strictly justified, vaulted, and audited.

Evidence Package a C3PAO Will Request

Artifact	Where It Typically Lives	Common Gotchas
Authentication Federation Matrix	SSO inventory: every CUI system → IdP	Local admin accounts on hosts; legacy authentication still enabled on M365.
MFA Coverage Report	IdP / Entra / Okta reports	MFA on portal but not on legacy protocols (IMAP, POP, SMTP basic).
Conditional Access Policies	Entra CA / Okta sign-on policies	Policies in “report-only” mode — not enforcing.
Failed-Logon Alerting	SIEM use cases / detections	Brute-force alerts disabled or going to an unmonitored mailbox.
Disabled-User Test Evidence	Pen-test or red-team report	“Disabled” AD accounts still able to access SMB shares.

Reference Architecture — Authoritative Source

Real-World Examples — What Goes Wrong

Example 1 — The Legacy Auth Backdoor

A defense subcontractor enabled MFA in M365 in 2020 and considered the work done. A Cyberwatch assessment in 2024 used basic-authentication / IMAP, which had been left enabled, to authenticate as five users with credentials harvested from public credential dumps. None of the legacy-auth attempts triggered MFA. CUI mailboxes were accessible.

Lesson: AC.L2-3.1.1[d] enforcement only counts if it covers every authentication path. Disable legacy auth, enforce conditional access, and verify with red-team testing.

Example 2 — The Disabled-Account That Wasn’t

On a credentialed pen test, our team picked a former employee whose AD account showed “disabled” in the GUI. The account’s SMB Kerberos ticket still worked, because group memberships and a stale logon session remained valid. We accessed two CUI shares with that account before remediation.

Lesson: Disablement must be tested. The C3PAO will sample. Run sampling yourself before the assessor does.

Example 3 — Password Spraying a Public Portal

A contractor exposed a Citrix portal directly to the internet with username/password authentication and no rate-limiting. Adversaries sprayed 50 common passwords against 8,000 known employee email addresses overnight. Three accounts compromised. Two had access to engineering CUI. Reportable incident, lost contracts, regulatory action.

Lesson: External-facing CUI access paths must require phishing-resistant MFA and rate-limiting and conditional access. Cyberwatch attack-surface visibility identifies these exposed front doors.

How Northern Data Solutions Helps You Pass AC.L2-3.1.1[d]

Service Offering	What It Does for AC.L2-3.1.1[d]
Cyberwatch — Risk Identification	Third-party penetration testing, validation, and vulnerability identification surfaces gaps related to AC.L2-3.1.1[d] before a C3PAO does. Independent attestation that controls match reality.
Cyberwatch Advanced	Operationalizes the controls: Identity & Access Management with adaptive MFA (CyberSecureID), Principle of Least Privilege, Zero Trust Architecture, attack-surface visibility, password management & rotation, and the cybersecurity training platform that produces signed employee attestations — the evidence assessors actually want.
Compliance-as-a-Service	Manages your SSP, POA&Ms, control evidence, and recertification campaigns inside one platform. Maps every artifact to the specific NIST 800-171 / CMMC objective — including AC.L2-3.1.1[d] — so you walk into your assessment with the binder pre-built.
vCSO (Virtual CSO)	Executive-level guidance for boards and leadership on identity strategy, scope decisions (CUI boundary), C3PAO selection, and remediation prioritization across CMMC, FTC Safeguards, and PCI.

Engagement model: Most clients begin with a Cyberwatch baseline assessment (1–2 weeks), then move into Cyberwatch Advanced and Compliance-as-a-Service to remediate and harvest evidence ahead of their CMMC Joint Surveillance or full L2 assessment.

External References & Authoritative Sources

Are You Ready for the Assessor? — 10-Point Readiness Check

Every CUI system authenticates via the corporate IdP — no local accounts.
Phishing-resistant MFA is enforced on every authentication path, including legacy protocols.
Conditional access is in enforce mode (not report-only) and covers user, device, and risk signals.
Disabled accounts have been red-team tested for residual access.
Lockout / throttling is configured and verified.
Authentication logs are in the SIEM with at least 12 months retention.
Failed-logon and impossible-travel detections are tuned and alert to a monitored channel.
Shared accounts are eliminated or vaulted with full session recording.
External-facing CUI portals have been validated by an attack-surface scan within 90 days.
A Cyberwatch identity red-team test has been performed in the last 12 months.

Next Step: If you cannot prove enforcement — not just policy — against authorized-user limits, contact your Northern Data Solutions vCSO to schedule a Cyberwatch credential-and-MFA validation engagement.

Tags: AC.L2-3.1.1[d], cmmc

Documentation Index