This is an example page from the Workbook Terry Lehman and I are working on a handbook for the DFARS Interim rules.

Like always this work has a Creative Commons BY-SA license. Feel free to use in any as long as you share the love.

Access Control

In many ways good cyber hygeine begins and ends with Access Control. A company must create a culture of cybersecurity and continuous improvement and this begins by developing the practices and processes to limit and protect FCI and CUI. According to the CMMC Access control activities:

ensure that access granted to organizational systems and information is commensurate with defined access requirements. Access requirements are developed based on the organization’s needs balanced with the security requirements needed to protect the organization’s assets.


Overall focusing on access control provides the greatest Return on Investment for organizations looking to harden cybersecurity. Thus the Department of Defense (DOD) requires Observable Evidence (OE) of Access Control policies for companies who interact with Federal Contract Information.

Therefore the rules of the road get defined by “Basic Safeguarding of Contractor Information Systems’ (48 CFR 52.204-21 (often referred to as simply “21”). If a company has access to either inherited or created CUI Access Control is not enough but it is essential to all cybersecurity efforts.

The DFARS Interim assessment guide includes 22 controls pulled from 48 CFR 52.204-21 and NIST 800-171 for Access Control

Connection to the CMMC

Access control practices get introduced in Maturation Level 1 build up four capabilities as processes get institutionalized:

  1. Establish system access requirement
  2. Control internal system access
  3. Control remote system access
  4. Limit data access to authorized users and processes

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)


This control, like all those requirements fundamentals to the l NIST SP 800-171 ‘Basic Security Requirements’ remain so critical to cybersecurity that you must subtract five points from the score of a 110 . Basically if a company does not limit access to secure systems and data almost all other cyber security get rendered moot.

Connection to the CMMC

NIST 800-171 -AC 3.1.1 gets reflected in the CMMC as a maturation level one practice AC 1.001 and builds to the capability of establishing system access requirements.

NIST 800 171- A.c 31.1.1 is also first of the 15 CFR Safeguarding Requirements . Access control should lead to a culture where users and employees get limited access to only information systems they need to complete their job.

Goals of Self-Assessment

As you complete your DFARS Interim rule self assessment you want to ensure you determine how you identify users. You also need to note how you determine what processes are being run by users. Your Security plan a needs to detail how access by devices and users are limited to only those with authorization.

Where to Look

☑ Access Control Policy

☑ Account Management Procedures

☑ System Security Plan

☑ System Monitoring Records

☑ etc

Your Observable Evidence

Who to Talk To

☑ Personnel with account management responsibiltiies

☑ System administrators

☑ Network Administrators

☑ Personnel with security responsibiltiies

Your Observable Evidence

What to Test

☑ Account management mechanisms

☑ System account managing processes

Your Observable Evidence

DFARS NIST 800-171 Score _______

Information, if needed, for the PO&AM