AC.L1-3.1.2—Transaction & Function Control
>Control Description
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your documented process for authorizing and managing user access to systems containing CUI?
- •How do you define and document access control policies and procedures?
- •Who is responsible for reviewing and approving access requests?
- •How frequently do you review user access privileges to ensure they remain appropriate?
- •What governance framework or standards guide your access control implementation?
Technical Implementation:
- •What technical mechanisms enforce access control (authentication systems, directory services)?
- •How are access control lists (ACLs) or permissions configured and managed?
- •What tools do you use to manage and provision user access?
- •How do you technically prevent unauthorized access attempts?
- •What logging captures access control decisions and authorization checks?
Evidence & Documentation:
- •What documentation demonstrates your access control policies and procedures?
- •What access control matrices or permissions documentation can you provide?
- •What access request and approval records can you show?
- •What access review documentation demonstrates periodic reviews?
- •What audit logs demonstrate access control enforcement?
- •What screenshots or configuration exports show access control settings?
Ask AI
Configure your API key to use AI features.