hey everybody it's Mike frieder here with on-call compliance Solutions and I'm back with another compliance tip of the week this week we're talking about cmmc control AC dot l1-3.1.1 limits system access to authorized users processes acting on behalf of authorized users and devices including other systems [Music] so hey if you're a defense contractor who's feeling overwhelmed tired and alone try to understand all of this dfar's nist SP 10171 and cmmc compliance stuff on top of an already colossal workload well I've got great news for you you found your home here at on-call compliance Solutions where we can help you transform into your company's on-call compliance Hero Let's jump into it so here we here we go it's the very first control you're looking at in cmmc all right uh level level one level two and let me tell you they don't want to make life easy on you here with the first control it's a doozy but today I'm going to walk you through uh what this is all about and what are the key assessment points an assessor will use to determine if you have met or not met the requirements for this control and then stay tuned because I'm going to give you actual sample answers for each assessment requirement Point by assessment Point here we go okay so the controlling question today is cmmc control a ac.l1-3.1.1 against first control really you'll tackle says limit system access to authorized users process is acting on behalf of authorized users and devices including other systems so if we're actually looking at what the assessment points are okay then what we find out is the first thing you're looking for you know that an assessor would look for is they're going to say hey did they determine if authorized users are actually identified uh and you know if we were to sort of think about that maybe give a sample answer we'd say hey authorized users are identified via maybe active directory or a user login system which is unique to the user right everybody gets their own user ID or unique identifier right you'll hear a unique identifier later in these compliance standards uh and again that's kind of how we would we would give a sample to that answer uh assessment Point number two determine if processes acting on behalf of authorized users are identified uh maybe we give a sample answer like this all processes are identified via system logs by the user executing that process right because again if you look in system logs it's always going to have a username or a system username on who it is that that executed that process uh assessment Point number three determinive devices including other systems authorized to connect to the system are identified so hey are the devices identified uh again if I was going to give you a sample answer I'd say hey all devices accessing cui are identified in I don't know let's say active directory uh and of course system log files right your system log is going to tell you what device executed and it's therefore you got some device identification uh the next assessment point they're looking for is determine if system access is limited to authorized users so uh in this one we give a little different kind of answer we're going to say hey you know what per group policy only authorize users within the environment are those users uh belonging to the cui handling organizational use so only those users who belong to a special group of users who are cleared this handle cui are authorized to access systems containing cui right so again that's how we determine that it's limited we limit it to a group of users uh and again we clearly demonstrate that through one of our systems or you know again active directories got lots of ways to sort of delineate down uh and again you might have so maybe a regular user administrative user and a cui handling user and whatever the system may be all right assessment Point number one two three four and five determine if system access is limited to processes acting on behalf of authorized users uh system access so yeah if I was gonna give a sample answer I'd say system access is restricted to only those users and processes executed by those authorized users which are allowed based on group policy or maybe it's system-wide policy or Access Control list but they have to be limited somehow you got to name what that policy is uh and again that would be a good sample answer and final one on this particular control determine if system access is limited to authorized devices in other words do you have a way to make sure that only the devices you're authorizing can actually access that information in this particular case I'll just kind of give you a sample answer and again this may not be uh you know something that'll work for you but again it's just a sample answer we might say hey you know what the IT department is only is is the only issuing authority for devices which are authorized to sign into systems like maybe a domain right only only the sys admin can actually sign you into the domain those devices capable of accessing cui are tokenized via multi-factor authentication so again great examples like Windows hello it gives you a unique token once you've successfully signed in under the right user sort of settings and again it allows you to have actual multi-factor authentication in place as well and again this is unique to only those authorized devices only those authorized devices and maybe they're part of a domain maybe they're not but only those devices which are tokenized using an MFA token would actually be allowed to access that data all right so first control congratulations it's out of the way right if you've got specific questions here's the good news because at on call we work with defense contractors just like you who have had this D fars nist itar and cmmc compliance stuff dropped in their laps like a seagull on a sunny day we teach you how to level up and be a proper on-call compliance hero for your company eliminating gaps gray areas and getting this solved all while showing you how to leverage compliance as your secret weapon to land more Defense work with higher profit margins now that's what becoming an on-call compliance hero can do for you and hey if you're looking for more information on or help getting compliant all right our compliance experts are always on call for you you can visit cmmc complianceecrets.com or check out the bio below for links to get to get help right now if you love the content we're putting out for you help us out with a big thumbs up on that like button or even better smash that subscribe button and get the latest compliance content as soon as our compliance centers roll it out until the next compliance tip my friends stay safe and secure out there and hit us in the comments below to let us know what you'd like to know more about when it comes to information security and compliance and I'll see you on the next one [Music] foreign anyway