What AC.L2-3.1.1[e] Requires
AC.L2-3.1.1[e] focuses on the operational side of access control. It’s not enough to say that only authorized users should gain access to systems; you must show how this is enforced through written, repeatable procedures.
This includes documenting how access restrictions are applied, which tools support enforcement (such as IAM or directory services), and who is responsible for maintaining and reviewing these procedures. Clear procedures align with your broader NIST 800-171 compliance program and support audit readiness.
Why Documented Procedures Matter
Organizations often have access control policies, but without procedures, enforcement can be inconsistent. Procedures turn policy into action—ensuring access is applied consistently across all systems that handle Controlled Unclassified Information (CUI).
Without documented steps, teams might interpret policy differently, resulting in access being granted or revoked unevenly. Documented procedures also make it possible to review past actions and demonstrate control effectiveness during assessments.
How to Implement Documented Enforcement Procedures
Start by defining step-by-step procedures that outline how access decisions are executed. Include details such as:
- Which platforms, tools, and systems are used (e.g., Active Directory, IAM, MDM)
- How access requests are submitted, approved, and logged
- How access is changed or revoked
- Who is responsible for reviews and updates
Integrate periodic reviews so that procedures stay up to date with business needs and system changes. This helps avoid stale access rights and ensures enforcement remains aligned with your overall CMMC Level 2 compliance efforts.
Procedure Implementation Table
| Procedure Step | Description | Documentation Required | Control Objective |
|---|---|---|---|
| Access Request Submission | Users request access through a standardized workflow | Request form, ticket number | Ensure request is traceable and auditable |
| Access Approval | Approver verifies need and authorizes access | Approval record, justification | Controls least privilege and business need |
| Access Configuration | System admins apply access settings | Configuration change log, screenshots | Show enforcement was applied correctly |
| Periodic Review | Review active access rights regularly | Review report, exception rationale | Maintain control effectiveness over time |
| Revocation Process | Remove access when no longer needed | Revocation evidence, timestamp | Prevent unauthorized lingering access |
Common Gaps to Avoid
A frequent issue is having access control procedures that are outdated, incomplete, or not followed in practice. Another is having procedures that exist on paper but lack practical steps tied to enforcement tools.
Lack of periodic review or unclear role assignments also weakens procedural enforcement, making it harder to prove compliance during an assessment.
Evidence Assessors Commonly Expect
Assessors look for documented procedures that describe enforcement steps, examples showing enforcement in action (such as configuration snapshots), and records of periodic reviews tied to the procedures.
They will verify that procedures cover authorization, enforcement tools, responsibilities, and that they are followed consistently.
FAQ
What does AC.L2-3.1.1[e] require?
It requires documented procedures that explain how access restrictions are enforced, including tools, roles, and review practices.
Why are documented procedures important for access control?
Documented procedures ensure consistency in access enforcement and make it possible to demonstrate control effectiveness during audits.
What evidence supports compliance with this objective?
Assessors expect access control procedures, roles and responsibilities, examples of enforcement actions, and review records.