PoliclyPolicly
← All samples
Sample preview. Placeholders in [brackets] are replaced automatically with your answers from the post-purchase customisation form.
Sample

NIST 800-171 / CMMC Suite

Access Control Policy (AC family)

Document 1 of [number of documents in suite] · One-time £20 for the full suite

1. Purpose

This policy implements the Access Control (AC) family of NIST SP 800-171 Rev. 2 at [Company Name], in support of CMMC Level [Target CMMC Level].

2. Scope

Applies to all systems within the [Company Name] CUI boundary as defined in the System Security Plan, and to all users (employees, contractors, third parties).

3. Roles

  • System Owner: [Company Owner].
  • Information System Security Manager: [ISSM Name].
  • Account Administrators: authorised members of the [IT / Security Team].

    • 4. Account management (AC.L1-3.1.1, 3.1.2)

  • Accounts are created only after a documented request, approval by the line manager, and identity proofing.
  • Account types (individual, group, system, application, guest) are documented; group and shared accounts are prohibited for CUI access unless a compensating control is in place.
  • Accounts are reviewed at least every 90 days and disabled within 24 hours of role change or termination.

    • 5. Least privilege (AC.L2-3.1.5)

    Privileges are granted on a least-privilege, need-to-know basis. Privileged accounts are separate from day-to-day user accounts and require multi-factor authentication.

    6. Separation of duties (AC.L2-3.1.4)

    Duties for system administration, security administration and audit review are segregated to reduce the risk of malicious or erroneous action.

    7. Unsuccessful logon attempts (AC.L2-3.1.8)

    Accounts are locked after [N] consecutive failed authentication attempts; unlock requires administrator action or a [N]-minute cooldown.

    8. Session controls (AC.L2-3.1.10, 3.1.11)

    Sessions are locked after [N] minutes of inactivity and terminated after a defined period. Concurrent session limits are enforced for privileged accounts.

    9. Remote access (AC.L2-3.1.12 — 3.1.15)

    Remote access to CUI is permitted only via the approved VPN / ZTNA solution, with MFA, full-tunnel routing, and session logging. Split tunnelling is prohibited.

    10. Wireless and mobile (AC.L2-3.1.16 — 3.1.19)

    Wireless networks use WPA3-Enterprise with certificate authentication. Mobile devices accessing CUI are enrolled in MDM with encryption and remote wipe.

    11. Use of external systems (AC.L2-3.1.20, 3.1.21)

    Use of external information systems (personal devices, partner systems) to process CUI requires written authorisation and an equivalent control baseline.

    12. Publicly accessible content (AC.L1-3.1.22)

    Content posted to publicly accessible systems is reviewed and approved by [Company Owner] or delegate prior to publication; CUI is never posted publicly.

    13. Enforcement

    Violations of this policy may result in disciplinary action up to and including termination, and where applicable, notification to the contracting officer.

    Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]

    Like what you see?

    Get the full NIST 800-171 / CMMC Suite bundle, tailored to your business, for £20.

    Other samples

    Data Protection PolicyUK Data Protection PolicyInformation Security PolicyExport Compliance Program (ECP)Incident & Breach Response PolicyData Governance Policy (Enterprise Technology)Data Governance Policy (Operational Technology)Data Management PolicyPrivacy Notice (External)Acceptable Use Policy