CMMC Access Control: The 22 Requirements That Produce the Most Assessment Failures

Of the 14 families in NIST SP 800-171 Rev 2, Access Control (AC) carries 22 requirements — the largest single family — and produces a disproportionate share of C3PAO findings. Most of the failures aren’t exotic. They’re the same six or seven controls, missed for the same reasons, across small and mid-size defense contractors. This post walks the AC requirements that consistently fail assessments, what causes each failure, and the concrete remediation. The control IDs map to the NIST SP 800-171A assessment objectives a C3PAO will Examine, Interview, and Test.

Why Access Control Fails More Than Any Other Domain

Three structural reasons. First, AC has the most requirements (22 vs 9 for Audit and 6 for Maintenance). Second, AC weights heavily toward 3- and 5-point controls under the DoD SPRS scoring methodology, which is what produces the disproportionate score impact. That means an AC gap blows a much bigger hole in your SPRS score than, say, a Personnel Security gap. Third, AC overlaps with operational pain — least privilege constrains how IT does its job, MFA adds friction, and external system rules clash with the way contractors actually use vendor portals. Compliance and ergonomics fight, and ergonomics wins until the assessor shows up.

The failures below cover roughly 70–80% of AC findings in small-business gap assessments. The remediation steps assume you have an SSP in place — if you don’t, see our CMMC SSP template walkthrough first, because every AC remediation has to be documented before the assessor will count it.

Failure 1 — AC.L2-3.1.20: External System Connections (5 points)

What it looks like: a user emails CUI to a personal account to work from home, or saves a CUI document to a vendor portal (Box, Dropbox, OneDrive Personal) that isn’t in your boundary. The C3PAO will Test this by reviewing your DLP logs, email logs, and cloud-access broker data — not by asking you.

Why it happens: the SSP says “CUI may only flow to authorized external systems” but the technical controls don’t enforce it. Users default to whatever tool is convenient. The policy is written; the enforcement isn’t.

How to remediate: pair a written rule with a technical enforcement layer. Block CUI movement to personal email at the gateway. Disable consumer file-sync clients on managed endpoints. If users genuinely need an external file share for CUI, name the specific service in the SSP and document the connection terms. Then Test it yourself before the assessor does — try to send a CUI document to a Gmail address and confirm the gateway blocks it.

Failure 2 — AC.L2-3.1.12 and 3.1.13: Remote Access (5 points each)

What it looks like: a senior engineer connects from home over a personal VPN, or uses an RDP gateway that doesn’t enforce FIPS-validated cryptography, or uses a remote-support tool that isn’t configured for session logging. 3.1.12 requires monitored and controlled remote access; 3.1.13 requires cryptographic mechanisms to protect remote access confidentiality. They’re distinct but commonly fail together.

Why it happens: remote access was set up before CMMC scope was defined, often with a tool the IT team chose for convenience. Switching VPN vendors is disruptive, so the existing tool stays even when it doesn’t meet FIPS or logging requirements.

How to remediate: confirm your remote-access tooling uses a FIPS-validated cryptographic module — check the NIST CMVP validated module list for the specific product and version. Enable session logging that captures user, source IP, session start/end, and commands executed for privileged sessions. Disable split tunneling on the VPN so all traffic during the session traverses the boundary controls. If the current product can’t do these, plan the swap before the C3PAO arrives.

Failure 3 — AC.L2-3.1.5: Least Privilege (3 points)

What it looks like: every user in the CUI environment is a local administrator on their workstation, or shared service accounts have domain admin rights, or developers have production access they don’t need. The assessor Examines your account inventory and asks why a marketing coordinator has access to engineering CUI shares.

Why it happens: account permissions accreted over years. Nobody had time to re-audit. Removing access is socially awkward (“why are you taking my admin rights?”), so it doesn’t happen until compliance forces the issue.

How to remediate: produce a current role-to-access matrix and reconcile it against actual group memberships. Remove local admin rights on workstations and use just-in-time elevation tools for the legitimate cases. Move shared service accounts to managed service accounts with scoped permissions. Re-run the reconciliation quarterly, not once before the assessment. Document the matrix and review cadence in the SSP.

Failure 4 — AC.L2-3.1.16, 3.1.17, 3.1.18: Wireless and Mobile (5 points each)

What it looks like: the corporate Wi-Fi is shared with the CUI environment, mobile devices accessing CUI aren’t enrolled in MDM, or the guest network and the production network share infrastructure without segmentation. 3.1.16 requires wireless access authorization, 3.1.17 requires authentication and encryption, and 3.1.18 controls mobile device connection.

Why it happens: small businesses often have one Wi-Fi network because two networks meant two pieces of equipment. Mobile device management is treated as an Apple/Android problem rather than a CMMC problem. The contractor’s actual setup grew organically; CMMC requires the kind of segmentation that costs money to retrofit.

How to remediate: separate wireless SSIDs at minimum — ideally on separate VLANs — with the CUI SSID restricted to authorized devices using 802.1X with certificates, not pre-shared keys. Enroll every device that touches CUI in MDM with conditional access policies that block jailbroken/rooted devices and require FIPS-validated encryption at rest. If a user wants to read CUI email on their personal phone, they enroll the phone or they don’t read it.

Failure 5 — AC.L2-3.1.1 and 3.1.2: Authorized Users and Transactions (5 points each)

What it looks like: the user inventory doesn’t match Active Directory, terminated employees still have active accounts, contractors are mixed in with employees without a separate identity boundary, or there’s no documented process linking HR onboarding/offboarding to system access changes. 3.1.1 limits access to authorized users; 3.1.2 limits access to authorized transactions and functions.

Why it happens: account management is a process gap, not a tooling gap. HR uses one system, IT uses another, and the bridge is a person who sends emails. When that person is on vacation, accounts stay open for weeks after termination.

How to remediate: connect HR offboarding to identity provider deprovisioning through automation (SCIM, HRIS integration, or scheduled scripts). Run a monthly reconciliation report comparing active AD accounts to the HR roster and flag mismatches. Document the workflow in the SSP, including the role responsible at each step. A consistent monthly artifact is what the assessor wants to see — not a one-time cleanup before the assessment.

Failure 6 — AC.L2-3.1.22: Publicly Accessible Systems (1 point)

What it looks like: a marketing intern publishes a customer case study to the company website that includes a redacted technical drawing — except the redaction is a black PDF overlay, not flattened, and the original text is recoverable. Or a sales engineer posts a screenshot of a customer’s production environment to a public LinkedIn post. 3.1.22 requires control of CUI posted on publicly accessible systems.

Why it happens: people who don’t handle CUI day-to-day don’t know what counts as CUI. Marketing and sales teams have publish permissions that compliance and engineering don’t supervise.

How to remediate: train every employee who has publish access on what CUI looks like in your specific business context (export-controlled drawings, contract data, technical specs). Add a content-review step that catches CUI before public release. The 1-point score makes this look low-priority, but an unredacted CUI disclosure can trigger a CUI spill notification — and depending on the incident scope, a DFARS 252.204-7012 reportable cyber incident with a 72-hour clock — which is a different and much larger problem.

Spot-Check Your AC Posture Before the Assessment

Run these six tests against your environment before you schedule a C3PAO:

1. Send a CUI document from a workstation to a Gmail address. The gateway should block it. If it doesn’t, 3.1.20 will fail.
2. Pull your AD user export and compare it to the HR roster. Every account on AD that isn’t on the HR roster needs an explanation (contractors, service accounts) or a deletion. 3.1.1 fails on the gaps.
3. Check the CMVP list for your VPN product and version. If it’s not validated, 3.1.13 fails regardless of how the SSP describes it.
4. List every workstation where a user is in the local Administrators group. Each one is a 3.1.5 finding waiting to be written up.
5. Walk to the wireless access points and read the SSIDs. If CUI users connect to the same SSID as guests, 3.1.16 fails.
6. Inventory phones and tablets that receive CUI email. Compare to your MDM enrollment list. Any device on email that isn’t in MDM fails 3.1.18.

If multiple tests fail, prioritize by point value — the 5-point items first. None of these can ride on a POA&M, so each one has to be MET at assessment day. Our step-by-step gap analysis covers the broader sort-and-prioritize process, and the CMMC readiness quiz includes the AC domain questions if you want a structured walk-through with SPRS scoring. For the relationship between findings and overall score impact, the readiness assessment gap distribution shows where most small contractors land.