CMMC Access Control Explained: What Small Businesses Actually Need to Do

Access Control is the first domain you'll encounter in CMMC Level 1—and for good reason. Before you worry about antivirus software, firewalls, or any other security measures, you need to answer a fundamental question: who can get into your systems in the first place?

At its core, Access Control is about making sure only the right people can access your stuff. Your computers, your files, your network, your data. If the wrong people can get in, nothing else you do matters.

For CMMC Level 1, there are four Access Control requirements. They're not complicated, but they do require deliberate attention. Most small businesses have some access controls in place already—the gap is usually in consistency and documentation.

This guide breaks down each of the four requirements in plain English, shows you what compliance actually looks like in a small business, and tells you what evidence you'll need to prove you're doing it right.

AC.L1-3.1.1: Limit System Access to Authorized Users

Plain English: Only people who work for you should be able to access your systems.

This sounds obvious, but it's where many small businesses have gaps. The requirement means you've made deliberate decisions about who can use your computers, network, and business systems—and you've taken steps to keep everyone else out.

What This Looks Like in Practice

Every employee has their own username and password. No exceptions. When John logs into a computer, you know it's John because he's using John's credentials. This seems basic, but it's the foundation of everything else.

No shared accounts. That "admin" account everyone uses? That "shop floor" login on the production computer? Those have to go. Shared accounts make it impossible to know who did what. If something goes wrong—or if something goes right and you want to know who to thank—shared accounts leave you guessing.

Former employees are removed immediately. When someone leaves your company, their access should be shut off that same day. Not next week. Not when IT gets around to it. Immediately. This includes email, network access, software logins, VPN access, and any other systems they could reach.

Contractors and vendors have limited, documented access. If outside parties need access to your systems—IT support, software vendors, consultants—that access should be specific, limited, and written down. They get only what they need for their job, and you know exactly what that is.

Evidence You'll Need

When it's time to prove you meet this requirement, you should be able to produce:

• A current list of all user accounts on your systems
• Documented procedures for what happens when someone leaves (termination checklist)
• Access request forms or records showing how access is granted
• Records of access reviews (periodic checks that accounts are still appropriate)

AC.L1-3.1.2: Limit Access Based on Job Function

Plain English: People should only be able to access what they need for their job—nothing more.

This is the "need to know" principle applied to your systems. Your accountant doesn't need access to engineering drawings. Your shop floor workers don't need HR files. Your sales team doesn't need to see payroll data. Everyone gets access to what they need, and that's it.

What This Looks Like in Practice

File folders with permissions. Your shared drive shouldn't be a free-for-all where everyone can see everything. Create folders for different departments or functions, and set permissions so only the right people can access each one. Accounting files are accessible to accounting. Engineering files are accessible to engineering.

Role-based access in software. Most business software lets you define what different users can do. Your ERP system, accounting software, CRM—they all have permission settings. Use them. Not everyone needs to be an administrator. Most people should have limited roles that match their actual responsibilities.

The "need to know" principle. When someone asks for access to something, the question isn't just "is this person trustworthy?" The question is "do they actually need this to do their job?" If the answer is no, they don't get access—even if they're the most trustworthy person in the company.

Local administrator access is restricted. If everyone is an administrator on their own computer, they can install software, change settings, and potentially create security problems. Most employees should be standard users, with administrator access reserved for IT staff or designated individuals.

Evidence You'll Need

To demonstrate compliance with this requirement, be prepared to show:

• Access control lists showing who has access to what folders and systems
• Role definitions in your key software (who has admin vs. user access)
• Documentation of your permission structure
• Records of access reviews confirming permissions are still appropriate

AC.L1-3.1.20: Control External System Connections

Plain English: Control what outside systems connect to yours.

Your business doesn't operate in isolation. You probably use cloud services, allow vendors to connect remotely for support, and have various connections between your network and the outside world. This requirement says those connections need to be managed and controlled—not just allowed to happen.

What This Looks Like in Practice

You know what external connections exist. This might sound simple, but many small businesses can't list all the ways outside systems connect to theirs. Cloud storage services, remote access tools, vendor VPN connections, accounting software that syncs with your bank—make a list. You can't control what you don't know about.

New connections require approval. Before adding a new cloud service or giving a vendor remote access, someone should review and approve it. This doesn't need to be a complex process, but it should be deliberate. "Does this make sense? Is it secure enough? Do we understand the risks?"

Vendor access is documented and controlled. When your IT support company connects remotely, or when a software vendor needs to troubleshoot, that access should be documented. You should know who can connect, what they can access, and ideally have a way to turn it off when it's not needed.

Evidence You'll Need

For this requirement, your evidence might include:

• An inventory of external connections (cloud services, remote access, vendor links)
• Records of approval for each connection
• Vendor access agreements or contracts with security terms
• Configuration documentation for firewalls or security devices managing these connections

AC.L1-3.1.22: Control Publicly Posted Information

Plain English: Control what company information gets posted publicly.

This requirement often surprises people. What does your website have to do with access control? The answer: attackers use publicly available information to target their attacks.

Your website lists your employees and their roles. Your social media shows your office location and the software you use. Your press releases mention contracts you've won. All of this information can help an attacker craft a convincing phishing email or figure out how to get into your systems.

What This Looks Like in Practice

Someone approves public posts. Before information about your company goes on your website, social media, or press releases, someone should verify it's appropriate to share. This is especially important for anything that might reveal details about contracts, customers, or internal operations.

Website content is reviewed periodically. What's on your company website? Is any of it giving away too much information? Do you really need to list every employee's email address? A periodic review helps catch information that shouldn't be public.

Social media guidelines exist. Employees posting about work on social media can inadvertently reveal sensitive information. Simple guidelines about what's okay to share—and what isn't—help prevent problems.

Evidence You'll Need

To show you're meeting this requirement:

• A policy covering public posting of company information
• Records showing approval of website content or press releases
• Social media guidelines or acceptable use policies
• Evidence of periodic reviews of publicly available information

Common Access Control Gaps

Based on what we see with small businesses, here are the access control problems that come up most often:

Shared passwords for convenience. "Everyone knows the password to that computer." This seems easier than managing individual accounts, but it violates the first requirement and makes everything else harder. Bite the bullet and set up individual accounts.

Ex-employees still having access. Check your accounts right now. Are there people who left months ago who still have active logins? This is one of the most common gaps—and one of the most dangerous. Build account removal into your termination process and actually follow it.

Everyone is an administrator. When employees can install anything they want and change any setting, you've lost control. Most people should be standard users. It takes more effort to manage, but it prevents a lot of problems.

No documentation of who has access to what. You might know in your head who can access what, but can you prove it? Can someone else figure it out if you're not available? Documentation matters for compliance—and for running your business smoothly.

How CMMCheck Helps

Access Control might be the first domain, but that doesn't make it simple to assess. Each of the four requirements has specific assessment objectives—detailed questions you need to answer to prove compliance.

CMMCheck walks you through each Access Control requirement with straightforward yes/no questions. No government jargon. No assumed IT knowledge. Just clear questions about what you're actually doing.

For each gap CMMCheck identifies, you get specific guidance on what to implement. Not vague advice, but practical steps a small business can actually take.

If you're ready to assess your Access Control compliance—or your full CMMC Level 1 readiness—try CMMCheck and see exactly where you stand.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.