Mapped to NIST 800-171 Requirement: 3.13.12
CMMC Assessment Objective: SC.L2-3.13.12[a]
What This Control Means
You must maintain a list of all users who are:
• Authorized to access CUI-related systems
• Assigned specific accounts, permissions, and roles
• Approved through your internal personnel security processes
This list must be current, accurate, and reviewed regularly.
Why It Matters
If unauthorized users access your systems:
• CUI could be exposed, altered, or stolen
• Malicious insiders could go undetected
• Dormant or unknown accounts could be exploited
• You could fail compliance reviews due to uncontrolled access
User identification is the foundation for access control, monitoring, and accountability.
How to Implement It
1. Maintain a User Inventory
• For each user, record:
◦ Name and unique ID
◦ Assigned systems or platforms
◦ Access level (e.g., standard user, privileged user)
◦ Business justification for access
2. Link to Onboarding and Offboarding Processes
• Only grant system access after:
◦ Background screening (per PS.L2-3.9.1)
◦ Role approval
◦ Training completion (e.g., security awareness, CUI handling)
3. Assign Roles and Permissions
• Tie users to clearly defined role-based access groups
• Ensure least privilege principles are enforced
4. Review and Update Regularly
• Revalidate authorized user lists quarterly, or after major org changes
• Deactivate accounts for departing employees or contractors immediately
Evidence the Assessor Will Look For
• Current, version-controlled list of authorized users
• Access control policies and role descriptions
• User onboarding and access approval records
• Screenshots of user management dashboards (e.g., Active Directory, Azure AD, Okta)
• Records of periodic user list reviews and updates
Common Gaps
• User lists outdated or incomplete
• No documentation linking users to business need for access
• Generic or shared accounts in use without tracking
• Dormant accounts remaining active after personnel leave
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Maintaining a centralized inventory of authorized users by system and role
• Tracking access approvals, onboarding documentation, and role assignments
• Automating reminders for user access reviews and audits
• Linking users to specific CUI-related systems, controls, and risk assessments
• Providing full audit trails showing user authorization history
With Cuick Trac, your user access landscape is controlled, transparent, and defensible.
Final CTA
If you don’t know who your users are, you can’t protect what they access.
Schedule a Cuick Trac demo to identify, control, and secure every user touching your CUI systems.