AC.L1-3.1.2 — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
What this control requires
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Source: CMMC L1 v2.13 AC.L1-3.1.2 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.1.2 (official control text).
Why this matters
This control ensures users can only perform actions their job requires, preventing unauthorized changes to sensitive systems or data. By limiting transactions and functions to what's necessary for each role, organizations reduce insider threat risk and contain the blast radius of compromised credentials. Without function-level restrictions, any authenticated user could delete records, modify configurations, or access financial systems they shouldn't touch. This control enforces the principle of least privilege at the action level, not just the access level.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L1-3.1.2.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →