Got questions? Contact our team today for a free CMMC Consultation
3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-2: Account Management
AC-3: Access Enforcement
AC-17: Remote Access
Recommended Microsoft Licensing
Level 1: Microsoft 365 Business Premium (includes Azure AD Premium P1, Microsoft Defender, and Intune)
Level 2: Microsoft 365 E5 with GCC High (required for organizations handling CUI)
3.1.2
Limit system access to the types of transactions and functions that authorized users are permitted to execute
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-2: Account Management
AC-3: Access Enforcement
Recommended Microsoft Licensing
Level 1: Microsoft 365 Business Premium ( includes Azure AD P1, Microsoft Defender, and Intune) for L1
Level 2: Microsoft 365 E5 with GCC High (if handling CUI or extending to higher-level requirements)
3.1.3
Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-4: Information Flow Enforcement
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Microsoft Defender for Endpoint P2, Microsoft Purview Information Protection P2, Entra ID P2)
3.1.4
Separate the duties of individuals to reduce the risk of malevolent activity without collusion
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-5: Separation of duties
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID P2 for Privileged Identity Management and role enforcement necessary for control separation)
3.1.5
Employ the principle of least privilege, including for specific security functions and privileged accounts
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-6: Least Privilege
AC-6 (1): Least Privilege (authorize access to security functions)
AC-6 (5): Least Privilege (privileged accounts)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID P2 for Privileged Identity Management and monitoring of privileged access actions)
3.1.6
Use non-privileged accounts or roles when accessing non-security functions
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-6 (2): Least Privilege – Non-privileged access for non-security functions
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID P2 for privilege separation and PIM enforcement, required to meet CUI-related access control expectations)
3.1.7
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-6 (9): Least Privilege (Log use of privileged functions)
AC-6 (10): Least Privilege (Prohibit non-privileged users from existing privileged functions)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID P2 for privileged access management, Purview Audit for log visibility, and Defender for Identity for behavioral monitoring)
3.1.8
Limit unsuccessful logon attempts through enforced thresholds and account lockout mechanisms.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-7: Unsuccessful logon attempts
Recommended Microsoft Licensing
Microsoft 365 GCC High E5 for CUI with GCC High
(includes Entra ID P1/P2 for account lockout policies, Defender for Identity for brute force detection, and Purview Audit for event logging)
3.1.9
Provide privacy and security notices consistent with applicable CUI rules before granting access to the system.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-8: System use notification
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune and Microsoft Endpoint Manager for policy banners and Purview for compliance notices)
3.1.10
Automatically use a session lock with pattern hiding displays to prevent access and viewing of data after a period of inactivity
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-11: Session lock
AC-11 (1): Session lock (pattern-hiding displays)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Microsoft Endpoint Manager for session timeout policies and compliance enforcement across devices)
3.1.11
Automatically terminate a user session after a defined condition such as inactivity timeout, logoff policy, or security event.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-12: Session termination
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Microsoft Endpoint Manager for session configuration and Conditional Access for automated session enforcement)
3.1.12
Use automated mechanisms to monitor and control remote access sessions, including VPN, remote desktop, and browser-based access to organizational resources.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-17 (1): Remote access (Automated monitoring/control)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Defender for Cloud Apps, Purview Audit, and Conditional Access for session monitoring and enforcement)
3.1.13
Employ cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-17 (2): Remote Access - Protection of Confidentiality/Integrity using Encryption
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(supports FIPS-compliant encryption for remote access, TLS enforcement, and device compliance through Microsoft Defender and Intune)
3.1.14
Route all remote access through managed access control points such as VPN gateways, conditional access brokers, or Microsoft Defender for Cloud Apps inspection points.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-17 (3): Remote Access - Managed Access Control Points)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Conditional Access, Defender for Cloud Apps, and Intune VPN Gateway enforcement for compliant remote session routing)
3.1.15
Authorize and control the remote execution of privileged commands and access to security-relevant information, ensuring such actions are limited to approved users and auditable.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-17 (4): Remote access (Privileged commands/access)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Entra ID P2 for Privileged Identity Management, Conditional Access for remote restriction, and Defender for Identity for privileged activity detection)
3.1.16
Authorize wireless access prior to allowing such connections
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-18: Wireless access
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for device configuration, Conditional Access for wireless policy enforcement, and Defender for Endpoint for wireless threat protection)
3.1.17
Protect wireless access using authentication methods that validate user/device identity and encryption that meets FIPS 140-3 standards for confidentiality and integrity.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-18 (1): Wireless Access -Authentication and Encryption
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for wireless profile enforcement, Entra ID for identity-based access control, and Defender for Endpoint for threat detection and encryption enforcement)
3.1.18
Control connection of mobile devices by requiring authorization, enforcing compliance policies, and restricting access from unmanaged or non-compliant devices.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-19: Access Control for Mobile Devices
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for mobile device management, Conditional Access for enforcement, and Defender for Endpoint for mobile protection)
3.1.19
Encrypt CUI stored on mobile devices and computing platforms using full-device encryption or container-based protection, with FIPS 140-3 validated cryptographic methods.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-19 (5): Access Control for Mobile Devices - Full Device/Container-Based Encryption)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for encryption enforcement, Defender for Endpoint for compliance validation, and Purview for CUI protection on mobile apps)
3.1.20
Verify and control and restrict connections to external systems—including personal devices, third-party services, and unmanaged cloud environments—ensuring usage is explicitly authorized and monitored.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-20: Use of external systems
AC-20 (1): Use of external systems (limits on authorized use)
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Conditional Access for device and app restrictions, Defender for Cloud Apps for shadow IT detection, and Intune for mobile and endpoint enforcement)
3.1.21
Limit use of portable storage devices on external or unmanaged systems to prevent unauthorized transfer or exposure of CUI. Enforcement should include device control policies and DLP monitoring.
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-20 (2): Use of External Systems - Portable Storage Devices
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for USB restrictions, Defender for Endpoint for device control, and Purview DLP for portable media monitoring and policy enforcement)
3.1.22
Control CUI posted or processed on publicly accessible systems
More details Less details
+ —
Relevant NIST SP 800-53 R5
AC-22: Publicly accessible content
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Purview DLP for content inspection, Information Protection for CUI labeling, and Defender for Cloud Apps for external sharing governance)
Contact our team today
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREEconsultation