Mapped to NIST 800-171 Requirement: 3.4.5
CMMC Assessment Objective: CM.L2-3.4.5[b]
What This Objective Means
Your system access control settings must reflect what you’ve defined in CM.L2-3.4.5[a]. That means:
• Only approved users or groups can perform administrative or configuration-level changes
• Change permissions are enforced through technical controls—not just policy
• Changes by unauthorized users are prevented and/or flagged
This ensures that system integrity is protected from accidental or unauthorized modification.
Why It Matters
Without enforced access controls:
• Admin rights may be misused or inherited unintentionally
• Unauthorized individuals can install software, disable protections, or alter system settings
• It becomes impossible to ensure the environment is secure and compliant
This objective protects critical system components and auditability.
How to Implement It
• Review and configure access controls using:
◦ File and folder permissions (e.g., NTFS, Linux ACLs)
◦ Group Policy Objects (Windows)
◦ RBAC configurations in applications or cloud platforms
◦ Local or domain admin group membership restrictions
• Use the principle of least privilege—users should only have access to the tools and settings necessary for their job
• Test configurations to ensure:
◦ Unauthorized users cannot modify settings
◦ Privilege escalation is prevented
Evidence the Assessor Will Look For
• Screenshots or exports showing role and permission settings
• Group membership lists from AD, IAM platforms, or endpoint management tools
• Logs or alerts showing denied change attempts by unauthorized users
• Documentation aligning system access settings with your list of authorized roles
Common Gaps
• Admin privileges granted too broadly
• No technical restrictions preventing unapproved users from modifying settings
• Privileged access based on convenience, not role or policy
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Enforcing least privilege by default across enclave systems
• Restricting system change rights to explicitly defined roles
• Logging all configuration changes, including who made them and when
• Helping organizations validate access settings match their role definitions
With Cuick Trac, your systems are built with security at the control layer—so unauthorized changes don’t happen in the first place.
Final CTA
Policies don’t protect systems—permissions do.
Schedule a Cuick Trac demo and make sure only the right people can make the right changes.