Skip to content

3.1 AC

The AC family is the right one to build first and to build most carefully — C3PAO assessors start here, ISO 27001 auditors test access controls more than any other domain, and DEFSTAN Profile 2 assessors look at identity and access as the primary technical control. Let me read the docx skill to produce a properly formatted template you can import directly.The document contains 1,020 paragraphs across five structured sections. Here is what each section contains and how to use it.

Document structure overview

The document follows the standard seven-section template established for all 14 family pages, compressed to five sections here with the ISO/DEFSTAN notes embedded per control rather than in a separate section. This structure is deliberate — assessors and engineers look at individual controls, not framework-comparison summaries. Keeping the cross-framework notes at the control level means the person implementing 3.1.13 (remote session encryption) sees the FIPS requirement, the ISO 27001 Annex A 8.24 note, and the DEFSTAN cryptographic guidance all in one place without navigating to a separate section.

Section 1 — Control implementation summary table gives the SSP status view of all 22 controls in a single table. This is what populates the corresponding section of your System Security Plan. The implementation status column (Implemented / Partially Implemented / Planned) maps directly to the SSP self-assessment format. Any control not showing "Implemented" must have a POA&M entry with a remediation date.

Section 2 — Technical implementation procedures is the longest and most detailed section. Each of the 22 controls contains: the control requirement text verbatim from NIST SP 800-171 Rev 2; the NIST SP 800-171A assessment method (Examine, Interview, or Test — this is from the companion assessment procedures document and tells your team exactly what a C3PAO assessor will do); the SSP implementation description in bullet form; an ISO 27001 Annex A implementation note explaining which Annex A controls are satisfied; a DEFSTAN 05-138 note explaining the Profile 1 or Profile 2 positioning and any UK-specific nuance; and the evidence items that demonstrate compliance.

Section 3 — Evidence requirements register consolidates all 14 evidence items this family generates into a single table with their Confluence locations, frequencies, and control cross-references. This is the AC family's contribution to your audit evidence register (EV-D and EV-F categories).

Section 4 — C3PAO/Assessor preparation checklist organises the assessment objectives by control group, broken into Examine, Interview, and Test activities. The colour coding distinguishes the three methods: blue for Examine, teal for Interview, amber for Test. Before an external assessment, your team should work through this section and confirm every item has a ready answer or a prepared evidence pack.

Section 5 — Version history provides the document control trail ISO 27001 clause 7.5.3 requires.

The four controls that most commonly cause AC family findings

Having built the full 22-control set, the patterns that generate findings in CMMC and NIST assessments cluster around four controls.

The first is 3.1.5 (least privilege) evidenced against 3.1.1 (authorised users). Having an access control policy is not enough — the assessor will look for the quarterly privileged account review records (EV-D01) to confirm that least privilege is actually being maintained over time, not just at provisioning. If the last quarterly review was eight months ago, this is a finding against 3.1.5 regardless of how well the underlying technical controls are configured.

The second is 3.1.12 combined with 3.1.13 (remote access monitoring and encryption). Organisations typically have VPN encryption in place but lack the SIEM integration that turns remote access logs into reviewable evidence. The monthly log review record (EV-F01) must show that remote access sessions are being reviewed — not just that a VPN exists. The absence of this review record fails 3.1.12 even when the technical control is sound.

The third is 3.1.22 (CUI on public systems). This is the control most often overlooked because it is treated as a content governance problem rather than a technical control. Assessors will attempt to access publicly facing systems directly and look for inadvertent CUI exposure. The quarterly public system review record (EV-D20) is mandatory evidence — without it, the assessor has no basis to conclude that the review is happening.

The fourth is 3.1.19 (CUI encryption on mobile devices) combined with the FIPS validation requirement in 3.13.11. Many organisations have device encryption enabled via MDM but cannot demonstrate that the encryption is provided by a FIPS 140-2 validated module. Apple iOS and Android both provide FIPS-validated cryptographic modules in current OS versions, but the validation certificate numbers must be documented in the SSP — pointing to the NIST CMVP database for the specific OS version in use. This is a documentation gap, not a technical gap, but it generates a finding in nearly every first-time CMMC assessment.

Using this page as Confluence content

To import this document into Confluence: in your Confluence space, navigate to 03 · Advanced Controls, create a new child page titled AT-AC · Access Control, and use the Confluence Word import feature (Insert → Files and Images → Upload, then use the macro to render the document). Alternatively, the document structure maps directly to Confluence macros — the section banner tables become {panel} macros, the coloured badge rows become {status} and {label} macros, and the control procedure blocks become {expand} macros for each individual control.

Apply page-level restrictions immediately on creation: space permissions should not allow all-staff to see this page. Set View restriction to isms-it-staff and isms-security groups only before publishing.

Label the page with: nist-800-171, ac-family, cmmc-level-2, defstan-p2, iso-annex-a, advanced-controls, and ssp-content. These labels enable the cross-reference filtering in your Reference Library and allow the CISO to pull all SSP-contributing pages as a filtered view.

The "Build Confluence page" button on each family card in the interactive widget above will prompt the full procedure content for the remaining 13 families — click any card to generate the next page in the sequence.