Meeting CMMC Level 1 Access Control - AC.L1-B.1.I – Limiting System Access to Authorized Users, Processes, and Devices

As part of achieving CMMC Level 1 compliance, small businesses handling Federal Contract Information (FCI) must implement foundational cybersecurity practices. One of the core requirements is Access Control (AC), specifically AC.L1-B.1.I, which states:

"Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)."

This requirement sounds straightforward, but to truly meet it—and pass a CMMC assessment—your organization needs clear, enforceable access policies and technical controls. In this blog post, we'll walk through what this requirement means, why it matters, and how to meet it effectively.

Understanding the requirement:

Ensure that only authorized users, processes, and devices have access to the information system. Let’s define them:

Authorized users: Employees, contractors, or vendors with legitimate need.

Processes acting on behalf of users: Apps or services that run with a user’s permissions (like email clients or backup tools).

Authorized devices: Company laptops, phones, or other systems explicitly permitted to connect.

How to Meet AC.L1-B.1.I

Document Authorized Users and Limit User Access

1. Maintain an approved user list. This includes employees and contractors.
2. Develop an account creation process so that all accounts are approved.
3. Review the organization’s user accounts and ensure that only accounts exist for authorized users. Delete unauthorized accounts.

Document Authorized Devices and Limit Device Access

1. Document a list of devices authorized to access the information system. Information unique to the device such as its name, serial number, and mac address should be documented.
2. Using MAC address filtering, 802.1X or other mechanism, limit device access to the network.
3. For organizations using Microsoft 365, using conditional access policies, you can also limit device access to Microsoft 365.

Document Processes Acting on Behalf of Authorized Users and Limit Access

1. Document a list of processes, the accounts associated with those processes, and the users to whom those accounts are assigned.
2. Dedicated service accounts with descriptive names should be created to run automated processes. Service account should be documented and associated with an authorized user.

Final Thoughts

It is important to remember that the control AC.L1-B.1.I is only one of several controls in the Access Control domain for CMMC level 1. Having more comprehensive access controls will require you to implement the other remaining access controls, however, properly implementing AC.L1-B.1.I will ensure that you have a solid foundation.