GRCWatch
Sign inStart free trial

AC.L2-3.1.2: Transaction and Function Control

Controlling what users can do within your systems is critical to CMMC Level 2 compliance. AC.L2-3.1.2 requires you to restrict information system access to only the transactions and functions authorized users are permitted to execute. This prevents unauthorized actions and reduces your attack surface.

What this means

This control ensures that user access is granular and role-based—each authorized user can only perform the specific transactions and functions their job requires. Rather than giving broad system access, you implement controls that prevent users from executing actions outside their authorization scope. This includes limiting administrative functions, financial transactions, data modifications, and other sensitive operations to appropriate personnel only.

How to comply

  1. 1.Define roles and responsibilities for each user type in your organization
  2. 2.Document which transactions and functions each role is authorized to perform
  3. 3.Configure access controls in your systems to enforce role-based permissions
  4. 4.Implement technical controls that prevent unauthorized transaction execution
  5. 5.Restrict administrative functions to designated personnel only
  6. 6.Test access restrictions to verify users cannot execute unauthorized actions
  7. 7.Monitor and audit transaction logs to ensure controls are functioning
  8. 8.Review and update permissions annually or when roles change

Evidence auditors look for

  • Role-based access control (RBAC) matrices showing authorized transactions per role
  • System configuration screenshots showing enforced function restrictions
  • Access control lists (ACLs) limiting transaction types by user group
  • Administrative privilege separation documentation
  • Transaction audit logs demonstrating access control enforcement
  • User access review documentation confirming appropriate authorization levels
  • System testing reports validating unauthorized transactions are blocked
  • Policy documentation on transaction and function authorization procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates role-based access control mapping and generates transaction restriction matrices for your systems, then continuously monitors for unauthorized function attempts and logs evidence for your CMMC assessor.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 — Authorized Access ControlAC.L2-3.1.5 — Access Control Review and AdjustmentSI.L2-3.14.1 — Information System Monitoring