AC.L2-3.1.1[f]

AC.L2-3.1.1[f] — Authorized Access Control (System Access Is Limited to Authorized Devices)

Domain: Access Control (AC) | Practice: AC.L2-3.1.1 | Objective ID: 3.1.1[f] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2

Assessment Objective:

System access is limited to authorized devices (including other systems).

Executive Summary (For Leadership and the Board)

Objective [f] closes the loop with [c]. Where [c] requires the inventory, [f] requires the technical enforcement that unauthorized devices cannot connect to CUI systems. Knowing the list does not protect CUI — the network and the systems must refuse the unknown laptop, the rogue Wi-Fi hotspot, the personal phone, the partner’s contractor laptop that was never enrolled.

The executive view is simple: If an attacker walks in with their own laptop and plugs into a wired port, what happens? The right answer is "nothing — 802.1X drops them on a quarantine VLAN with no path to anywhere." Anything else is an AC.L2-3.1.1[f] failure and a likely path to CUI compromise.

Business Question	What Leadership Must Confirm
Does our network refuse unknown devices?	802.1X / NAC enforces device authentication on every wired and wireless segment that touches CUI.
Are CUI systems posture-aware?	Conditional access checks device compliance (encryption, EDR, OS patch level) before granting CUI access.
Are partner/vendor connections separately segmented?	Vendor / external system access is segmented and bound by ISA.
Can we prove enforcement to the C3PAO?	NAC logs, device-cert deployment, and posture evidence are retained and producible.

Executive Risk Lens: Unmanaged and unauthorized devices have been the entry point for the largest CUI-relevant breaches in the DIB. AC.L2-3.1.1[f] is what stops the rogue laptop, the lost contractor device, the BYOD phone, and the partner system from reaching CUI.

How Authorization Should Flow

From request to authoritative record

Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)

What the Objective Requires

Objective [f] maps to NIST SP 800-53 AC-3, AC-19 (Access Control for Mobile Devices), IA-3 (Device Identification & Authentication), and SC-7 (Boundary Protection). Implementation patterns: 802.1X EAP-TLS with device certificates from internal PKI, MDM compliance gates, conditional-access device-trust signals, ZTNA gateways, and MAC-bypass exceptions tightly controlled.

802.1X with EAP-TLS on all wired and wireless segments that touch CUI — not MAC-only.
Device certificates issued from internal PKI with rotation and revocation paths.
Conditional access device-trust on every cloud CUI system (Entra device compliance / Okta Device Trust / equivalent).
ZTNA gateway replaces traditional VPN for CUI remote access — user + device evaluated on every connection.
Guest, IoT, and OT devices are strictly segmented from CUI VLANs.
Posture checks include OS, patch level, EDR, disk encryption, and screen-lock policy.
MAC-bypass exceptions are documented, time-limited, and reviewed quarterly.

Evidence Package a C3PAO Will Request

Artifact	Where It Typically Lives	Common Gotchas
802.1X / NAC Enforcement Records	Cisco ISE, Aruba ClearPass, Forescout	Monitor mode only; default-allow on auth failure; guest VLAN routes to CUI.
Device-Certificate Deployment	Internal PKI / Entra / Intune SCEP	Self-signed certs; certs without expiration; no revocation procedure.
Conditional-Access Device-Trust Policies	Entra CA / Okta Device Trust	Compliance check disabled or in report-only.
ZTNA / Remote Access Logs	Zscaler ZPA, Cloudflare Access, Netskope, Twingate	VPN still allowed in parallel for “backup”; ZTNA bypass exceptions.
Segmentation Diagram & Validation	SSP boundary diagram + tested traffic flow	IoT VLAN ACL not actually deployed; 30 days of test traffic shows leakage.

Reference Architecture — Authoritative Source

Real-World Examples — What Goes Wrong

Example 1 — The Plug-and-Play Pen Test

On a Cyberwatch on-site engagement, our consultant connected an unauthorized laptop to an open conference-room wired port. The port placed the device into the corporate VLAN with a routable address. From there, the consultant reached the CUI engineering share within 12 minutes. NAC was deployed but configured in “monitor only” mode “to avoid breaking things.”

Lesson: Monitor-mode NAC is documentation, not enforcement. AC.L2-3.1.1[f] requires the network to refuse unauthorized devices in production.

Example 2 — The Lost Personal Laptop

A contractor used their personal laptop to access an internal Citrix portal “just for one task.” The personal laptop had no EDR, no encryption, and an outdated OS. It contained cached CUI artifacts in the browser. Theft followed. Forensics could not confirm scope. Reportable incident.

Lesson: Conditional access with device compliance would have refused the unmanaged personal laptop entirely. AC.L2-3.1.1[f] is met by user+device evaluation, not user-only.

Example 3 — The Partner’s Compromised Workstation

A trusted partner’s engineering workstation was compromised by malware on the partner’s home network. The partner used the same workstation to access the prime contractor’s CUI portal via VPN. Attackers used the partner’s session to download CUI. Neither the partner nor the prime had a posture check on the connecting device.

Lesson: Trusted external systems are devices for purposes of AC.L2-3.1.1[f]. ZTNA with device posture and continuous evaluation closes this gap.

How Northern Data Solutions Helps You Pass AC.L2-3.1.1[f]

Service Offering	What It Does for AC.L2-3.1.1[f]
Cyberwatch — Risk Identification	Third-party penetration testing, validation, and vulnerability identification surfaces gaps related to AC.L2-3.1.1[f] before a C3PAO does. Independent attestation that controls match reality.
Cyberwatch Advanced	Operationalizes the controls: Identity & Access Management with adaptive MFA (CyberSecureID), Principle of Least Privilege, Zero Trust Architecture, attack-surface visibility, password management & rotation, and the cybersecurity training platform that produces signed employee attestations — the evidence assessors actually want.
Compliance-as-a-Service	Manages your SSP, POA&Ms, control evidence, and recertification campaigns inside one platform. Maps every artifact to the specific NIST 800-171 / CMMC objective — including AC.L2-3.1.1[f] — so you walk into your assessment with the binder pre-built.
vCSO (Virtual CSO)	Executive-level guidance for boards and leadership on identity strategy, scope decisions (CUI boundary), C3PAO selection, and remediation prioritization across CMMC, FTC Safeguards, and PCI.

Engagement model: Most clients begin with a Cyberwatch baseline assessment (1–2 weeks), then move into Cyberwatch Advanced and Compliance-as-a-Service to remediate and harvest evidence ahead of their CMMC Joint Surveillance or full L2 assessment.

External References & Authoritative Sources

Are You Ready for the Assessor? — 10-Point Readiness Check

802.1X EAP-TLS is enforced on every CUI-adjacent network segment.
Internal PKI issues, rotates, and revokes device certificates.
Conditional access enforces device compliance on every cloud CUI system.
ZTNA has replaced traditional VPN for CUI remote access.
Guest, IoT, and OT VLANs are firewalled away from CUI — verified by traffic test.
Posture checks include encryption, EDR, patch level, and screen lock.
MAC-bypass exceptions are reviewed quarterly and documented.
Partner and vendor system connections have ISAs and posture requirements.
Cyberwatch attack-surface visibility validates the boundary every 12 months.
An on-site “plug-and-play” pen test has been performed in the last 12 months.

Next Step: If an unauthorized laptop can reach CUI from inside your office or via an old VPN, you have an AC.L2-3.1.1[f] gap. Schedule a Cyberwatch on-site network-enforcement assessment with your Northern Data Solutions vCSO.

Tags: AC.L2-3.1.1[f], cmmc

Documentation Index