Limit Information System Access

Limiting information system access is a fundamental security practice that focuses on account management.  The Cybersecurity Maturity Model Certification (CMMC) covers system access with the Access Control domain and AC.1.001 and AC.1.002 practices. This control will prevent unauthorized access to controlled unclassified information (CUI).  This control can be implemented using a combination of policy and technical mechanisms.  Access control policies and procedures are used to control access between users and the information or devices you are protecting. 

You should identify and select the types of accounts needed to support your business.  Account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.  New user accounts should require an approval and follow the organization’s access control policy and procedures.  An organization could create User Authorization Request forms that lists:

  • user requesting access
  • information system
  • information being accessed
  • business purpose
  • training requirements
  • user account name
  • approving signatures

An account manager should be assigned. Account managers need to be notified when an account is no longer needed, a user is terminated or transferred, and when the need-to-know changes.  Access authorization should be based on a valid need-to-know, reason to use the system, and any other business purposes. 

Temporary and/or emergency accounts are commonly used in a production environment.  These accounts should be configured to automatically expire after a defined period.  The account manager can also manually audit the system for inactive and temporary accounts no longer needed.  This process should be outlined in your access control and auditing policies. Shared/Group accounts should only be permitted when necessary.  The shared/group account credentials need to be terminated when a member leaves the group. 

An account manager could create a simple spreadsheet that lists all of the user accounts and the names of individuals associated with each account.  The list should also include disabled accounts with the names of individuals associated with each account and the dates the accounts were disabled.  This list needs to be updated and audited frequently in accordance with your continuous monitoring plan. 

Monitoring the use of accounts will help to detect inappropriate account usage and access violations.  Examples of atypical usage includes, accessing systems during non-work hours, or attempting to access information they are not authorized to access.  This overlaps with the Audit and Accountability domain of controls.

Conduct an assessment to verify if system access is limited to only authorized users, processes acting on behalf of users, and devices.  Test your processes for managing system accounts and the mechanisms used to implement your account management.  The following are objects you can use to assess your account management:

  • Access control policies
  • Account management procedures
  • System security plans
  • System configuration settings
  • System design documentation
  • Lists of active system accounts and the names of individuals associated with each account
  • Notifications of recently terminated, transferred employees
  • Lists of conditions for group and role membership
  • Lists of recently disabled system accounts along with the name of the individual associated with each account
  • Access authorization records
  • Account management compliance reviews

It is important to identify and limit who can access your information system.  Creating methods to document and track system access authorization will protect CUI, and devices like printers, and computers from unauthorized use.  Implementing an account management plan and assigning an account manager will help you identify and control system access.