ILT-U-3896
CMMC Cyber Proficiency Assessment Scheme. Access Control & Authentication Evaluation
DETERMINATION | METHOD |
| Access is limited to authorized users and roles | Review user accounts, roles, and group memberships; verify alignment with job functions (AC.L2-3.1.1, AC.L2-3.1.2) |
| Least privilege is enforced | Analyze privilege assignments and identify over-privileged or inappropriate access (AC.L2-3.1.5, AC.L2-3.1.6) |
| Authentication mechanisms are properly implemented | Evaluate MFA configuration and verify actual usage through logs and user attributes (IA.L2-3.5.2, IA.L2-3.5.3) |
| Remote access is controlled and secured | Assess VPN configuration and correlate with session logs and user access rights (AC.L2-3.1.12, AC.L2-3.1.13) |
| Account lifecycle is properly managed | Identify inactive, contractor, and shared accounts; verify status and usage patterns (AC.L2-3.1.1, IA.L2-3.5.1) |
| Authentication and access controls operate as documented | Compare SSP statements with technical evidence (configs, logs, datasets) (CA.L2-3.12.1) |
| Security controls are effectively enforced in practice | Perform cross-correlation across all evidence sources to validate real system behavior (AC.L2-3.1.8, AU.L2-3.3.1) |
Related products
ILT-U-802
Mobile Application Security Proficiency Test. Aligned with the App Defense Alliance Mobile Application Security Testing Approach
ILT-U-1061
Common Criteria Security Target Evaluation (ASE) for IoT Systems. IoT Common Criteria Proficiency Testing Scheme – Baseline Level
