Model Overview

Access Control (AC)

Level 1	Level 2	Level 3 (TBD)
AC.L1-3.1.1 Authorized Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). FAR Clause 52.204-21 b.1.i NIST SP 800-171 Rev 2 3.1.1	AC.L2-3.1.3 Control CUI Flow Control the flow of CUI in accordance with approved authorizations. NIST SP 800-171 Rev 2 3.1.3
AC.L1-3.1.2 Transaction & Function Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. FAR Clause 52.204-21 b.1.ii NIST SP 800-171 Rev 2 3.1.2	AC.L2-3.1.4 Separation of Duties Separate the duties of individuals to reduce the risk of malevolent activity without collusion. NIST SP 800-171 Rev 2 3.1.4
AC.L1-3.1.20 External Connections Verify and control/limit connections to and use of external information systems. FAR Clause 52.204-21 b.1.iii NIST SP 800-171 Rev 2 3.1.20	AC.L2-3.1.5 Least Privilege Employ the principle of least privilege, including for specific security functions and privileged accounts. NIST SP 800-171 Rev 2 3.1.5
AC.L1-3.1.22 Control Public Information Control information posted or processed on publicly accessible information systems. FAR Clause 52.204-21 b.1.iv NIST SP 800-171 Rev 2 3.1.22	AC.L2-3.1.6 Non-Privileged Account Use Use non-privileged accounts or roles when accessing nonsecurity functions. NIST SP 800-171 Rev 2 3.1.6