CMMC Level 1 Requirement | AC.L1-B.1.II – Transaction & Function Control (FCI Data)

What Is AC.L1-B.1.II – Transaction & Function Control?

Under the Cybersecurity Maturity Model Certification (CMMC) Level 1, the control AC.L1-B.1.II requires organizations to limit information system access to the types of transactions and functions that authorized users are permitted to execute. This is part of the access control family and is meant to protect Federal Contract Information (FCI) — any non-public information provided by or developed for the government under a contract. In simpler terms, even after someone is authorized to access a system, they should only be able to do what their job requires — nothing more. This helps prevent accidental or intentional misuse of sensitive contract information.

Why This Matters for Small Businesses

Small businesses working with the Department of Defense (DoD) often handle sensitive contract-related data, even if it's not classified. Improper access could lead to leaks, compliance failures, or even loss of business. Implementing role-based access ensures that people only see and do what they need to — reducing the risk of exposure.

Luckily, this doesn't require expensive tools or complex systems. Many small businesses already use platforms, like Microsoft 365, that support role-based permissions out of the box.

How to Meet This Requirement: A Step-by-Step Guide

Define Roles Based on Job Functions: Determine what each role needs to access. A Contract Manager might need to view/edit contract files, while Finance might only need read access for invoicing.

Identify Required Transactions or Functions per Role: Determine what each role needs to access. A Contract Manager might need to view/edit contract files, while Finance might only need read access for invoicing.

Assign Permissions in Your Systems: Use built-in access control features in your software (e.g., Microsoft SharePoint, Teams, or file servers) to assign specific capabilities to each role.

Document the Access Structure: Keep a simple spreadsheet or chart that outlines who has access to what and why. This is helpful during audits or assessments.

Review Access Regularly: Periodically check that permissions are still appropriate, especially when staff change roles or leave the company.

Real-World Example

You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles. Each role limits what users can view or change. For example, contract administrators can view and edit contract documents, while project coordinators can only view them. This setup helps ensure that FCI is accessed and modified only by people who are authorized to do so.

Final Thoughts

CMMC Level 1 is all about building a foundation of cybersecurity hygiene. AC.L1-B.1.II may sound technical, but at its core, it’s about common-sense access management — ensuring that people can do their jobs without putting FCI at unnecessary risk. By setting up simple role-based controls, even the smallest businesses can meet this requirement confidently and cost-effectively.