ILT-U-3911
Identity & Access Control Assessment. Assessment of Access Control and Identification & Authentication Practices aligned with CMMC Level 2 requirements
DETERMINATION | METHOD |
| Access is limited to authorized users and roles | Review user accounts, roles, and group memberships; verify alignment with assigned responsibilities and access needs (AC.L2-3.1.1, AC.L2-3.1.2) |
| Least privilege is applied to user and system accounts | Analyze privilege assignments and group memberships to identify excessive or inappropriate access rights (AC.L2-3.1.5, AC.L2-3.1.6) |
| Authentication mechanisms are properly implemented and enforced | Evaluate authentication configuration and verify usage through user attributes and authentication logs (IA.L2-3.5.2, IA.L2-3.5.3) |
| Remote access is controlled and secured | Assess remote access configurations and correlate with VPN/session logs and authorized user groups (AC.L2-3.1.12, AC.L2-3.1.13) |
| Account lifecycle is effectively managed | Review account status, creation and last activity data to assess handling of active, inactive, and temporary accounts (AC.L2-3.1.1, IA.L2-3.5.1) |
| Authentication and access controls align with documented policies | Compare SSP statements with configurations, identity data, and observed system behavior (CA.L2-3.12.1) |
| Security controls operate effectively in practice | Perform cross-correlation across datasets, logs, and configurations to evaluate actual control implementation (AC.L2-3.1.8, AU.L2-3.3.1) |
Related products
ILT-U-3693
Proficiency Testing Scheme for Random Number Generator (RNG) Assessment. Remote Gambling Technical Standards (RTS) and applicable regulatory assessment frameworks
ILT-U-1887
External Interface Security Assessment. GB 44495 (Clause 7.1 & 8.3) Phase 1 – Foundation Level
