AC.L2-3.1.2 — Limit system access to the types of transactions and functions that authorized users are permitted to execute.

What this control requires

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Source: CMMC L2 v2.13 AC.L2-3.1.2 / NIST SP 800-171 R2 3.1.2 (official control text).

Why this matters

This control ensures users can only perform actions explicitly authorized for their job function, preventing accidental or malicious misuse of system privileges. It protects sensitive data and critical operations by enforcing the principle of least privilege at the transaction level, not just at login. Without transaction-level controls, an authenticated user could execute administrative functions, approve financial transactions, or modify security settings they have no business touching. This granular access enforcement prevents insider threats, reduces blast radius from compromised accounts, and creates clear audit trails showing who performed which specific actions.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls