Back to Blog
    CMMC

    CMMC Domain 1: Access Control, the One Everyone Underestimates

    James McMurryApril 28, 20267 min read

    Welcome to post one of fourteen. Over this series I am going to walk you through every CMMC domain, one at a time, the way I would if you and I were sitting at your desk and your assessor was showing up next month.

    We start with the big one. Access Control, or AC. CMMC pulls AC straight out of NIST 800-171, and at Level 2 you are looking at twenty two practices. That alone tells you how seriously the DoD takes this. If you mess up Access Control, none of the other thirteen domains save you, because the bad guy is already inside your environment looking at CUI.

    What the domain actually covers

    Access Control covers who can log into your systems, what they can do once they are in, and how you stop them when they should not be there anymore. The big themes line up like this.

    • Limit access to authorized users. Sounds obvious. In practice that means an inventory of who has access to CUI and proof you reviewed it.
    • Limit access to the types of transactions and functions a user is permitted to execute. This is where role based access control lives. Someone in finance does not need engineering drawings.
    • Control the flow of CUI in accordance with approved authorizations. Network segmentation. Data labeling. CUI enclaves. If your CUI is mixed in with everything else on a flat network, this practice is failing.
    • Separate duties. Administrators should not approve their own changes. Whoever runs payroll should not also write the checks.
    • Least privilege. Default deny. Add access only when needed. Elevated accounts must be separate from daily user accounts.
    • Session lock and session termination. Screens lock after inactivity. Sessions end after a defined period. Yes, your assessor will check.
    • Remote access controls. VPN with multifactor. Encrypted channels. Logging of every remote session. Privileged remote access gets even more scrutiny.
    • Wireless access. Authentication and encryption. No open guest networks bridged to the production network.
    • Mobile device controls. Encryption, MDM, restricted use of CUI on mobile.

    The gotchas, this is where you fail

    Shared admin accounts. The classic. Three IT staff all logging in as Administrator on the same account. You have zero accountability. Every one of those people needs a named admin account, and the built in Administrator should be disabled or renamed and locked down.

    Vendor and contractor accounts left active. Someone from a vendor came in for a six month project two years ago. The account is still enabled. The password has not changed. Nobody owns it. Your assessor will find this in five minutes.

    MFA only on remote access. The standard reads broader than that. Multifactor is required for privileged accounts and for any account accessing CUI. If your domain admin can log into the console without MFA because they are sitting in the office, you have a finding.

    Role based access that is not actually role based. You set up groups two years ago. Then everybody got added to everything because it was easier. That is not RBAC, that is a mess with group names. You need a current matrix that maps roles to permissions and a recurring review.

    Service accounts with too much power. Service accounts running as domain admin. Service accounts with interactive logon rights. Service accounts that have not had their password changed since 2018. All findings.

    CUI on personal devices. The salesperson who emails CUI to their personal Gmail because the VPN is slow. The engineer who copies drawings to a personal laptop on the weekend. You need policy, technical controls, and monitoring.

    What to actually do

    • Start with the inventory. Who has access to what? Pull every Active Directory group, every shared drive permission, every application role. If you cannot list it, you cannot control it.
    • Build a role to permissions matrix. Document what each role gets. Get it signed off by the business owner.
    • Implement MFA everywhere it touches CUI. Not just remote. Everywhere. Phishing resistant MFA is the gold standard, FIDO2 keys for example. SMS is no longer enough on its own.
    • Set session lock at fifteen minutes maximum. Session termination after a reasonable period of inactivity. Document the policy and confirm the GPO actually applies on a sample of endpoints.
    • Review access quarterly. Document the review. Have managers sign off. The signed review is your evidence.
    • Kill shared accounts. Every privileged action gets tied to a named human.
    • Lock down service accounts. Strong password, no interactive logon, regular rotation, least privilege.
    • Segment your CUI. If your network is flat, you have work to do. CUI enclaves with strict access controls between segments will save you so much pain.
    • Train your users. Access Control depends on people not sharing passwords, not letting somebody piggyback into the office, not approving their own access requests. The Awareness and Training domain backs this up, but the behavior shows up in Access Control findings.

    The bottom line

    Access Control is the foundation. If you only have time to perfect one domain before assessment, this is the one. Get the inventory clean, kill the shared accounts, deploy MFA everywhere, and document everything you do. Your assessor will want evidence, not promises. A clean Access Control posture also makes every other domain easier, because half the practices in the other thirteen domains assume you already know who is doing what on your network.

    How we help at threathunter.ai

    JAXBERT is our CMMC compliance product and it maps your Access Control evidence directly to the CMMC objectives so the assessor sees what they need without you scrambling.

    MILBERT, our identity threat product, catches the credential attacks that target your privileged accounts, including adversary in the middle phishing, session hijacking, and MFA bypass.

    GEIGER maps the attack paths across AD, Azure, AWS, GCP, and Okta so you can see where a single compromised identity could take an attacker. Our 24/7 Hunt service watches the access logs in real time.

    Next up, Awareness and Training. Three practices, but do not let the small number fool you. People are still your weakest link.