CMMC Practice Requirement:

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

CMMC Requirement Explanation:

By controlling which people and systems access your network you can prevent unauthorized access to “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI).

Example CMMC Implementation:

Create an account creation process. Only provide user accounts to authorized persons. Require users to log in to your systems using a password. Only allow authorized devices onto your network. This includes restricting the workstations, servers, and even printers allowed on your network.


- Scenario 1:


Alice is responsible for creating user accounts. She follows her IT team's account creation process. The process only allows authorized persons to be given a user account. Every account Alice creates is password protected so that only the intended person can use it.
Using group policy, Alice requires all user accounts to be password protected.
Using group policy, Alice requires all user accounts to be password protected.

- Scenario 2:

Alice is a system administrator. She receives word from human resources (HR) that an employee will be terminated today at 3:00 PM. At 3:00 PM Alice disables his user account. The former employee no longer has access to company systems.

- Scenario 3:

Bob decides to bring his personal laptop to work and connect it to the corporate network. Alice, a system administrator, notices that an unauthorized device has connected to the network. She blocks the MAC address on her DHCP server to prevent it from connecting to the network. Bob submits a help desk ticket stating that he can't access the network. Alice responds to the ticket and discovers that she as blocked Bob's personal device. Alice tells Bob to use his work computer as personal devices are not allowed on the corporate network.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance