Control 3.1.1

★What This Means in Plain English

Only people and systems that have been explicitly approved should be able to access your IT systems. Every user, service account, and device must be identified and authorized before gaining access to any system that handles CUI.

✓How Petronella Implements This Control

Petronella Technology Group implements this control through:

• Microsoft Entra ID (Azure AD) with role-based access control (RBAC) enforcing least-privilege assignments
• Multi-factor authentication (MFA) required on all external-facing systems via Conditional Access policies
• Quarterly access reviews using ComplianceArmor to identify and remove stale accounts
• Privileged Access Management (PAM) for all administrative accounts with just-in-time elevation
• Network segmentation using FortiGate firewalls to isolate CUI environments
• Cisco Meraki device enrollment ensuring only managed devices connect to the network

🔎Assessment Guidance

Assessors will verify that access control policies exist and are enforced, review Active Directory group memberships and RBAC role assignments, test that unauthorized users cannot access CUI systems, verify MFA is enabled on all remote access, and inspect logs showing access request and approval workflows.

⚠Common Implementation Gaps

• No formal access control policy documented
• Shared or generic admin accounts without individual accountability
• Missing MFA on VPN or remote desktop connections
• No regular access reviews leading to stale accounts
• Flat network without segmentation between CUI and non-CUI systems

⇄Cross-Framework Mapping