AC.L1-3.1.1 — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other system).

What this control requires

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other system).

Source: CMMC L1 v2.13 AC.L1-3.1.1 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.1.1 (official control text).

Why this matters

This control prevents unauthorized individuals from accessing your organization's systems, applications, and data. Without enforced access limits, former employees, contractors whose engagements ended, or malicious actors could log into email, file shares, databases, or cloud platforms and exfiltrate controlled unclassified information (CUI). This requirement establishes the foundation of identity and access management: every user account, service account, and connected device must be explicitly authorized before it can interact with your systems. Proper implementation blocks credential-based attacks and ensures only legitimate users perform legitimate actions.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls