NIST 800-171 R-3.1.1
Limit System Access to Authorized Users
Official citation: 3.1.1
Class: core · Severity: critical
Statement of the obligation — verify against source
3.1.1
What it means
Only approved people, the automated processes acting on their behalf, and authorized devices should be able to reach systems that handle CUI — everyone and everything else stays out. In practice this is disciplined account management: deciding who gets an account, what type it is, and what each account may reach, across both internal and external systems. How far an account may go once inside (the specific transactions and functions it can run) is covered by 3.1.2.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.