Reading NIST 800-171 Practice 3.1.1, "Limit information system access to authorized users, processes acting on behalf of authorized users, and devices", doesn't tell you what to configure on Monday morning. This guide breaks down all 22 Access Control practices with plain-language explanations, real implementation approaches, and the specific tools that get the job done.
Every one of the 22 Access Control practices applies to systems within your CUI boundary. Before implementing anything, you need to know which systems process, store, or transmit Controlled Unclassified Information. Systems outside that boundary aren't subject to CMMC requirements, which means scoping directly determines your compliance burden.
If you haven't defined your CUI scope yet, do that first. Document it in your System Security Plan. Trying to apply CMMC controls without a defined scope is like trying to secure a building without knowing where the walls are.
Implementation principle: For each practice below, ask three questions, what do we need to configure? where is that configured? what evidence will prove it to an assessor? Answering all three before you start saves significant rework.
These two practices are the foundation of the entire AC domain. 3.1.1 says only authorized users (and devices acting on their behalf) can access your systems. 3.1.2 says those users can only perform the transactions their job requires.
How to implement:
Common mistake: No formal provisioning process. IT handles requests informally, access accumulates over time, and former employees sometimes retain access for weeks. Assessors will ask for evidence of access reviews.
This practice requires controlling the movement of CUI between systems and people. It's not just about who can access CUI, it's about where CUI can travel.
How to implement:
Common mistake: CUI stored in a shared team folder that every employee can access because "the whole team works on these contracts." Access should be scoped to people who actually handle CUI on those specific contracts.
This group of practices is where many small organizations fall short, not because the technology is hard, but because implementing it properly requires restructuring how IT staff work day-to-day.
3.1.4 requires separating duties so no single person can both commit and conceal a malicious action. 3.1.5 requires least privilege, especially for privileged accounts. 3.1.6 says use non-privileged accounts for non-security functions. 3.1.7 prevents non-privileged users from executing privileged functions.
How to implement:
Common mistake: The IT administrator uses their domain admin account for everything, reading email, browsing the web, running reports. If that account is compromised via phishing, the attacker immediately has domain admin. Separate accounts are non-negotiable for CMMC and for basic security hygiene.
These four practices are among the easiest to implement and the most commonly missed in documentation. All four can be configured via Group Policy or Intune.
How to implement:
Common mistake: Skipping the login banner (3.1.9) because it seems cosmetic. Assessors check for it specifically, and it takes about 10 minutes to configure. Don't leave easy points on the table.
Remote access to systems handling CUI must be encrypted, authenticated, logged, and routed through a managed gateway. These four practices together define what a compliant remote access architecture looks like.
How to implement:
Common mistake: Port 3389 open in the firewall for a specific server "because we need to get in remotely." This is an immediate assessor finding and a genuine ransomware risk. If you have RDP open to the internet today, close it before your assessment.
Wireless access must be authorized before connections are allowed, and it must use proper authentication and encryption.
How to implement:
Common mistake: Using a shared WPA2 pre-shared key for the corporate network because it's easier to manage. With a PSK, anyone who knows the password can connect, there's no individual authorization, no per-user identity, and no way to revoke access for a specific person without changing the password for everyone.
Mobile devices that connect to CUI systems or store CUI data must be managed and encrypted.
How to implement:
Common mistake: Employees access corporate email, which may contain CUI discussions or attachments, on personal phones with no MDM enrollment. If that phone is lost or stolen, there's no remote wipe and no evidence of encryption. This is a gap that assessors will probe.
These practices address two common data exfiltration vectors: personal cloud accounts and removable storage.
How to implement:
Common mistake: No USB control whatsoever. An employee can plug in a personal thumb drive, copy CUI files to it, and walk out the door. There's no technical control, no log, and no way to detect it after the fact. Defender for Endpoint or Intune device control addresses this with minimal overhead.
Any system that is publicly accessible must not contain or process CUI. This sounds obvious, but contract deliverables, proposal documents, and technical specifications can contain CUI, and they sometimes end up in the wrong place.
How to implement:
Common mistake: A contract deliverable that contains CUI gets emailed to a public project portal or posted to a shared client extranet without anyone checking whether it contains controlled information. A CUI marking review process before external sharing addresses this.
| Need | Tool Options | Notes |
|---|---|---|
| Identity and access management | Microsoft Entra ID, Active Directory | Foundation for accounts, groups, and RBAC |
| Multi-factor authentication | Entra MFA, Duo, Okta | Required for IA domain as well; covers multiple practices |
| Privileged access management | Entra PIM, CyberArk, BeyondTrust | Just-in-time admin elevation; reduces persistent admin rights |
| Session and lockout policy | Group Policy (GPMC), Microsoft Intune | Handles 3.1.8–3.1.11; built into Windows Server at no extra cost |
| VPN / remote access | Cisco AnyConnect, GlobalProtect, Azure VPN, Zscaler | Must include MFA and logging |
| Mobile device management | Microsoft Intune, Jamf, VMware Workspace ONE | Required for 3.1.18–3.1.19; Intune included in M365 Business Premium |
| USB / device control | Defender for Endpoint, Intune, GPO | Defender for Endpoint device control is the most capable option |
| Data loss prevention | Microsoft Purview, Zscaler | Supports CUI flow control and external system restrictions |
| Wireless authentication | Windows Server NPS, Cisco ISE, Aruba ClearPass | NPS is built into Windows Server; good starting point for 802.1X |
Microsoft 365 Business Premium covers a lot of ground here. Entra ID P2 (included in Business Premium) gives you MFA, Conditional Access, and PIM. Intune (also included) handles MDM and device control. Defender for Endpoint (included) handles USB control. If you're already in the Microsoft ecosystem, the tools you need may already be licensed.
Technical controls alone don't satisfy CMMC. Each of the 22 practices requires both implementation and documentation. The assessor needs to see that controls exist in your environment and that they're defined in written policy. A screen lock policy configured in GPO but not referenced in any policy document creates a documentation gap. A policy document describing access reviews that aren't actually being conducted creates an implementation gap.
Your Access Control Policy is the document that ties everything together, it defines the rules that your technical controls enforce.
Our CMMC Level 2 Access Control Policy template covers all 22 AC practices in formal policy language with fill-in-the-blank placeholders. Written for defense contractors by practitioners who have implemented these controls in real CMMC engagements.
Download the AC Policy Template →No spam. Just practical guidance on CMMC compliance and new resources when we publish them.