3.1.1—Access Control - Basic
>Control Description
>Discussion
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization.
This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern user account creation and authorization?
- •Who has the authority to approve system access for different user roles?
- •How do you define and document authorized users versus unauthorized users?
- •What is your process for periodic review of authorized users?
- •How are authorization decisions documented and maintained?
Technical Implementation:
- •What authentication mechanisms are in place to limit system access?
- •How do you technically enforce the principle of least privilege?
- •What controls prevent unauthorized users from accessing CUI systems?
- •How are user permissions configured and managed across different systems?
- •What monitoring tools detect unauthorized access attempts?
Evidence & Documentation:
- •Can you provide access control lists showing authorized users?
- •Where are user authorization approvals documented?
- •What audit logs track user authentication and authorization events?
- •Can you demonstrate a recent access review with findings?
- •What evidence shows unauthorized access is prevented?
Ask AI
Configure your API key to use AI features.