Access Control
Access Control is the largest family — 22 requirements. It’s also where the most gaps are found during assessments.
The Five Themes
Section titled “The Five Themes”Who and What (3.1.1–3.1.7) — Who has access, what they can do, least privilege, separation of duties, and logging admin work.
Session Controls (3.1.8–3.1.11) — Locking out failed logins, login banners, auto-lock, and session termination.
Remote Access (3.1.12–3.1.15) — Monitoring remote connections, encrypting them, routing through managed gateways, controlling remote admin.
Wireless & Mobile (3.1.16–3.1.19) — Authorizing wireless, encrypting it, managing mobile devices, encrypting CUI on portable devices.
External & Media (3.1.20–3.1.22) — Controlling connections to outside systems, USB drives, and keeping CUI off public systems.
All 22 Requirements
Section titled “All 22 Requirements”| Ref | Short Name | What It Covers |
|---|---|---|
| 3.1.1 | Who Gets In | Only approved users, processes, and devices access systems |
| 3.1.2 | What They Can Do | Users only do what their role allows |
| 3.1.3 | Where CUI Can Flow | CUI only moves between approved locations |
| 3.1.4 | No One Person Runs the Show | Split critical duties between people |
| 3.1.5 | Minimum Necessary | Least access needed for the job |
| 3.1.6 | Two Hats, Two Accounts | Admins use regular accounts for everyday tasks |
| 3.1.7 | Log the Admin Work | Block standard users from admin; log all admin actions |
| 3.1.8 | Lock After Failed Logins | Account lockout after failed attempts |
| 3.1.9 | The Warning Banner | Legal notice at every login screen |
| 3.1.10 | Lock the Screen | Auto-lock after inactivity, hide data |
| 3.1.11 | End the Session | Sessions terminate automatically |
| 3.1.12 | Eyes on Remote Access | Monitor and control every remote connection |
| 3.1.13 | Encrypt Remote Sessions | FIPS-validated encryption on all remote access |
| 3.1.14 | One Front Door | All remote access through a managed gateway |
| 3.1.15 | Admin Commands Over the Wire | Limit which admin tasks can happen remotely |
| 3.1.16 | Wi-Fi Approval First | Devices approved before wireless connection |
| 3.1.17 | Lock Down the Wi-Fi | Enterprise authentication and FIPS encryption |
| 3.1.18 | Mobile Device Control | Every phone and tablet registered and managed |
| 3.1.19 | Encrypt CUI on Mobile | Full disk encryption on every portable device |
| 3.1.20 | Control Outside Connections | Map and control every external connection |
| 3.1.21 | USB Drives Under Control | Company-owned encrypted drives only |
| 3.1.22 | Keep CUI Off Public Systems | Review process before publishing anything |