Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - AC.L1-B.1.I – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Understanding the Requirement
This control requires you to identify who and what is allowed to use your systems and then ensure only those identified users, automated processes, and devices can access them. From the FAR/CMMC perspective, you must be able to show that authorized users are identified, processes acting on behalf of users are identified, and authorized devices (including other systems) are identified — and that access is limited to those identified entities. The guidance below is written for small and medium businesses implementing the FAR 52.204-21 / CMMC 2.0 Level 1 control.
Technical Implementation
-
Inventory and authorize: Create and maintain a current inventory of authorized user accounts, service/process accounts, and devices. Store this in a simple System Access Authorizations spreadsheet or a lightweight identity management tool and record the owner and approval source for each entry.
-
Formalize account lifecycle processes: Implement documented onboarding and offboarding procedures that require manager/HR approval for account creation and immediate removal or disabling of accounts when an employee departs or changes roles. Automate disabling where possible (for example, via HR integration or a ticketing workflow) to reduce manual delay.
-
Use least privilege and service accounts: Ensure user accounts receive only the minimum access required. Separate interactive user accounts from process/service accounts used by scripts or automation; register and document service accounts and restrict their privileges and network access.
-
Control device access: Maintain an authorized device list and enforce network access control (NAC) or VLAN segmentation so only managed corporate devices can reach sensitive systems. Block or quarantine unknown MAC addresses at the DHCP/edge switch level and require devices to be registered before granting full access.
-
Authentication and access enforcement: Require unique, password-protected accounts and enable multi-factor authentication (MFA) on systems that support it. Use centralized authentication (for example, RADIUS/Active Directory or cloud identity services) so access enforcement and logging are consistent.
-
Periodic review and logging: Schedule quarterly reviews of accounts, processes, and device lists to remove unused or unauthorized entries. Log authentication and access attempts so you can detect and investigate unauthorized access quickly.
Example in a Small or Medium Business
Midtown Engineering, a 65-person company, maintains a simple System Access Authorizations spreadsheet that lists every employee, approved contractors, service accounts, and all corporate devices. HR sends an onboarding packet that includes a request form; IT creates accounts only after receiving the approved form and records the approver in the spreadsheet. When an employee leaves, HR files a termination notice to IT, and the system admin disables the account at the specified time and records the action. Automated processes such as nightly backup scripts run under dedicated service accounts with restricted privileges and are logged in the inventory. The company enforces device controls by requiring corporate laptops to be enrolled in device management before receiving full network access; a separate guest VLAN provides web-only access to visitors. One afternoon an employee connects a personal laptop and the NAC places it on a quarantine network; IT notifies the user and explains company policy prohibiting personal devices for corporate access. Quarterly, IT and the security lead review the inventory and delete stale accounts and devices, ensuring only authorized users, processes, and devices retain access.
Summary
Meeting AC.L1-B.1.I is a mix of clear policies and simple technical controls: maintain an authoritative list of authorized users, processes, and devices; enforce account lifecycle procedures; restrict access via authentication, segmentation, and device controls; and perform regular reviews and logging. For SMBs, straightforward documentation, consistent onboarding/offboarding, device enrollment, and periodic cleanup provide practical, cost-effective evidence that only authorized entities can access company systems.
