“Limit information system access to the types of transactions and functions that authorized users are permitted to execute.” - NIST SP 800-171 Rev. 2, 3.1.2
But understanding it is one thing. Documenting it, enforcing it, and owning it within the shared responsibility model is another.
Control 3.1.2 requires you, the Organization Seeking Certification (OSC), to ensure users are limited to only the transactions and functions necessary for their roles.
This is a subtle but important distinction: it’s not enough to restrict who has access—you also need to define what they can do once they’re in.
During an assessment, the C3PAO will review how your organization enforces access control based on user roles and job functions. We’ll look for evidence that:
We’ll also look at who makes the decisions about those roles and access levels. That’s where leadership comes in.
It’s common to see MSPs or consultants managing user accounts and permissions, but they can only act based on what your organization decides. If everyone in your company is set up as a “Global Admin” or if access levels don’t align with job duties, that’s not a technical failure- it’s an organizational one.
The assessor’s role is to confirm that your internal process drives those access decisions, not the convenience of an external provider.
Access control begins with role definition, not configuration.
Leadership decides:
Those decisions should be captured in policy and mirrored in your IT configurations. If your MSP or IT provider maintains your systems, your Shared Responsibility Matrix (SRM) should clearly show that you define access roles and they enforce them.
That clarity is critical during an assessment. When we see mismatches, like the OSC saying IT “handles access” while IT says “we follow what HR tells us” it’s a sign that responsibilities aren’t clearly documented.
As a leader, your role is to make sure those boundaries are visible, agreed upon, and accurate.
The principle of least privilege isn’t just a technical rule, it’s a risk management decision.
Too much access can lead to accidents, breaches, or insider threats. Too little access can disrupt productivity and morale. Your leadership team’s challenge is to find that balance—and to document how those decisions are made.
Good access control policies should answer these questions:
When your C3PAO sees those answers reflected in both policy and evidence, it demonstrates maturity—not just compliance.
This control shows the heart of shared responsibility. Your provider can configure permissions, but your organization defines what’s right.
If your access model doesn’t match your structure or policies, it’s a signal that decisions are happening without oversight. And in compliance, that’s where findings appear.
When leadership actively participates in defining roles, approving access, and reviewing privileges, your organization moves beyond “checking boxes” to building a sustainable compliance culture.
The takeaway:
Your IT team enforces controls, but your leadership defines the rules.
That distinction might sound small, but it’s what C3PAOs look for first.