CMMC ITAR Access Control Checklist 2026: A Practical Guide

A defense subcontractor in Ohio runs a machining facility that produces components for military aircraft. The production floor uses shared terminals where engineers and technicians clock in, pull up technical drawings, and access controlled specifications throughout the shift. Three people share a single login. Nobody intended to create a compliance problem. They just needed the line to keep moving. When a C3PAO assessor arrives and asks for individual-level audit logs showing who accessed controlled unclassified information and when, there are none. The terminal shows one account, hundreds of entries, and zero individual attribution. That is a failing finding across multiple CMMC access control requirements simultaneously, and under ITAR, it may also constitute an unverified access event involving controlled technical data.

This scenario is playing out across the Defense Industrial Base right now. According to DefenseScoop, only 200 defense contractors had completed C3PAO assessments at the start of Phase 1 enforcement in November 2025, while an estimated 80,000 require CMMC Level 2 certification. Phase 2, which makes third-party C3PAO certification mandatory in applicable solicitations, begins November 10, 2026.

A CMMC ITAR access control checklist is a structured framework that maps the access control requirements from both the Cybersecurity Maturity Model Certification and the International Traffic in Arms Regulations into a single set of actionable controls. CMMC governs how defense contractors protect controlled unclassified information through the 110 security requirements in NIST SP 800-171. ITAR governs who is legally permitted to access defense articles, technical data, and related services listed on the US Munitions List. Both frameworks impose access control obligations, and both are enforced, but most compliance guides treat them as separate problems when the access control decisions that satisfy one often satisfy the other.

This blog covers the complete CMMC compliance checklist across all 14 domains, goes deep on the AC domain's 22 requirements, explains the ITAR access control overlap, and shows exactly where defense manufacturing and operational environments break these requirements in ways that standard compliance guides never address.

CMMC ITAR Access Control Checklist

Use this checklist to evaluate your organization's current access control posture against CMMC AC domain requirements and ITAR's identity-based access obligations. Each item maps to one or more CMMC requirements; the sections below explain what each control requires, where defense contractors commonly fall short, and how ITAR's obligations intersect with the same controls.

Quick Scope Check: Who CMMC and ITAR Apply To

CMMC applies to every organization in the Defense Industrial Base that handles Federal Contract Information or Controlled Unclassified Information, including prime contractors, subcontractors, and suppliers at every tier. Approximately 300,000 organizations across the defense supply chain fall under its scope. ITAR applies to any US person or organization that manufactures, exports, or brokers defense articles, defense services, or ITAR-controlled technical data listed on the US Munitions List, regardless of whether they hold a DoD contract. Many defense contractors are subject to both simultaneously, and for those organizations, a unified approach to access control is the most efficient path to compliance with either.

CMMC and ITAR: Two Frameworks, One Access Control Problem

Most compliance guides treat CMMC and ITAR as parallel tracks. In practice, for defense contractors handling both CUI and ITAR-controlled technical data, the access control requirements converge at the same systems, the same terminals, and the same workforce decisions.

What CMMC Requires for Access Control

CMMC's Access Control domain derives directly from NIST SP 800-171. It requires organizations to control who can access systems that contain CUI, enforce least privilege across all user accounts, manage remote access, and maintain individual-level audit logs of every access event. The AC domain contains 22 requirements at Level 2, covering everything from basic account authorization to controlling the flow of CUI across systems and external connections.

What ITAR Requires for Access Control

ITAR takes a different but overlapping approach. Its core access control obligation is identity-based: only US persons may access ITAR-controlled technical data unless a license explicitly authorizes otherwise. This means organizations must know exactly who has access to ITAR-controlled systems and data at all times. They must also document and enforce those access boundaries technically, not just through policy. Granting access to a non-US person on a shared system, even inadvertently through a shared login, constitutes a deemed export under 22 CFR Part 120, carrying significant civil and criminal penalties, including criminal liability of up to 20 years imprisonment.

Where They Overlap and Where They Diverge

Both frameworks require organizations to:

• Know exactly who has access to controlled data at all times
• Enforce individual-level authentication on systems that touch controlled data
• Maintain audit logs that attribute every access event to a specific person
• Remove access immediately when employment or authorization status changes

Where they diverge: CMMC focuses on the security maturity of the controls themselves, verified through assessment against NIST SP 800-171. ITAR focuses on the legal identity of the person accessing the data, enforced through export licensing and citizenship verification. A single strong identity and access management program can satisfy both obligations simultaneously, but a weak one creates exposure under both frameworks at once.

The CMMC Compliance Checklist: All 14 Domains

Access Control (AC)

The AC domain contains 22 requirements at Level 2 and is the highest-weight domain for SPRS scoring. The full breakdown is in the next section.

Audit and Accountability (AU)

• Create and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting
• Ensure audit log records contain sufficient detail to reconstruct individual user activity
• Protect audit logs from unauthorized access, modification, and deletion
• Review and analyze audit logs for indicators of inappropriate or unusual activity
• Report findings to designated personnel and retain logs for a minimum defined period

Awareness and Training (AT)

• Ensure all personnel with access to CUI receive security awareness training
• Provide role-based training to users with privileged access or security responsibilities
• Document all training completion with dates and attendee records

Configuration Management (CM)

• Establish and maintain baseline configurations for all systems processing CUI
• Establish and enforce configuration change control processes
• Analyze the security impact of changes before implementation
• Restrict, disable, or prevent the use of nonessential programs, functions, ports, and protocols
• Apply a deny-by-exception policy to prevent the use of unauthorized software

Identification and Authentication (IA)

• Identify all system users, processes, and devices before granting access
• Authenticate all identities before allowing access to CUI systems
• Enforce MFA for all privileged access and remote access to CUI systems
• Employ replay-resistant authentication mechanisms
• Manage CUI system identifiers by disabling inactive accounts and removing terminated user accounts

Incident Response (IR)

• Establish an incident response capability, including policy, procedures, and defined roles
• Track, document, and report incidents affecting CUI
• Test the incident response capability regularly
• Perform post-incident reviews and update the response plan accordingly

Maintenance (MA)

• Perform maintenance on organizational systems and controls
• Provide controls on tools, techniques, mechanisms, and personnel for maintenance
• Ensure that equipment removed for maintenance is sanitized of CUI
• Check media containing diagnostic programs for malicious code before use

Media Protection (MP)

• Protect system media containing CUI, both paper and digital
• Limit access to CUI on system media to authorized users
• Sanitize or destroy system media before disposal or reuse
• Mark media with necessary CUI markings and distribution limitations
• Control access to media containing CUI during transport

Personnel Security (PS)

• Screen individuals before authorizing access to CUI systems
• Ensure that CUI is protected during and after personnel actions such as terminations and transfers
• Include CUI protection requirements in third-party agreements

Physical Protection (PE)

• Limit physical access to CUI systems to authorized individuals
• Escort visitors and monitor visitor activity in areas containing CUI systems
• Maintain audit logs of physical access
• Control and manage physical access devices such as keys and access cards
• Protect and monitor the physical facility and support infrastructure

Risk Assessment (RA)

• Periodically assess the risk to operations, assets, and individuals from the operation of CUI systems
• Scan for vulnerabilities in CUI systems and applications periodically, and when new vulnerabilities are identified
• Remediate vulnerabilities in accordance with risk assessments

Security Assessment (CA)

• Periodically assess the security controls in organizational systems to verify their effectiveness
• Develop and implement a plan of action to correct deficiencies and reduce vulnerabilities
• Monitor security controls on an ongoing basis to ensure continued effectiveness
• Develop, document, and periodically update system security plans

System and Communications Protection (SC)

• Monitor, control, and protect communications at external boundaries and key internal boundaries
• Implement subnetworks for publicly accessible system components
• Deny network communications traffic by default and allow by exception
• Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
• Terminate network connections after a defined period of inactivity

System and Information Integrity (SI)

• Identify, report, and correct information and system flaws on time
• Protect malicious code at appropriate locations
• Monitor system security alerts and advisories and take action in response
• Monitor CUI systems to detect attacks and indicators of potential attacks
• Identify unauthorized use of CUI systems

The AC Domain Deep Dive: All 22 Access Control Requirements

Level 1 Access Control Requirements (AC.L1)

These two foundational requirements apply to every contractor handling Federal Contract Information and form the baseline that Level 2 builds upon.

AC.L1-3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices, including other systems. In practice: maintain an active account inventory, remove inactive accounts, and verify that every account tied to a current authorized user or process.

AC.L1-3.1.2: Limit system access to the types of transactions and functions authorized users are permitted to execute. In practice: implement role-based access that restricts what each user can do, not just whether they can log in.

Level 2 Access Control Requirements (AC.L2)

These 20 requirements apply to all contractors handling CUI and form the core of CMMC Level 2 AC domain compliance:

AC.L2-3.1.3: Control the flow of CUI in accordance with approved authorizations. Restrict CUI from moving to systems, networks, or individuals not authorized to receive it.

AC.L2-3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity. No single person should have enough access to execute and conceal a harmful action.

AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts. Users get only the access they need for their job function, nothing more.

AC.L2-3.1.6: Use non-privileged accounts when accessing non-security functions. Privileged accounts are for privileged work only.

AC.L2-3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

AC.L2-3.1.8: Limit unsuccessful logon attempts and enforce lockout mechanisms.

AC.L2-3.1.9: Provide privacy and security notices consistent with CUI rules at system login.

AC.L2-3.1.10: Use session lock with pattern-hiding displays after a period of inactivity.

AC.L2-3.1.11: Terminate sessions after a defined period of inactivity.

AC.L2-3.1.12: Monitor and control remote access sessions.

AC.L2-3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

AC.L2-3.1.14: Route remote access via managed access control points.

AC.L2-3.1.15: Authorize remote execution of privileged commands and access to security-relevant information only via remote access solutions.

AC.L2-3.1.16: Authorize wireless access before allowing connections and protect those connections using authentication and encryption.

AC.L2-3.1.17: Protect wireless access using authentication and encryption.

AC.L2-3.1.18: Control connection of mobile devices, including manufacturer defaults, configuration requirements, and approved connection methods.

AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms.

AC.L2-3.1.20: Verify and control all connections to external systems and cloud services.

AC.L2-3.1.21: Limit use of portable storage devices on external systems.

AC.L2-3.1.22: Control CUI posted or processed on publicly accessible systems.

Highest-Weight AC Requirements and Their SPRS Implications

Under the DoD SPRS Assessment Methodology, five-point requirements are the most critical and cannot be deferred to a Plan of Action and Milestones. AC.L2-3.1.3 (control CUI flow) and AC.L2-3.1.5 (least privilege) both carry maximum weight. A contractor with deficiencies in these two requirements alone can face a SPRS score deduction that signals insufficient cybersecurity posture to contracting officers reviewing bid eligibility.

Where CMMC Access Control Breaks Down in Defense Manufacturing and Operational Environments

This is the section most CMMC compliance guides skip entirely. The requirements are precise on paper. The operational reality inside defense manufacturing facilities, aerospace suppliers, and logistics contractors is something different.

Shared Terminals on the Production Floor

In defense manufacturing environments, CNC machines, quality inspection stations, and production management systems regularly sit in shared spaces where multiple workers use the same terminal across a shift. One engineer logs in at 6 am. Three more use the same session before noon. The system logs one username for all of it.

AC.L2-3.1.1 requires access limited to authorized users. AC.L2-3.1.5 requires least privilege enforced at the individual level. AC.L2-3.1.10 and 3.1.11 require session lock and termination after inactivity. All four of these requirements fail simultaneously when shared credentials are in operational use.

Password-based authentication makes the problem structural. On a busy production floor, requiring workers to re-authenticate with a complex password dozens of times per shift creates friction that teams solve with shared credentials. The compliance control breaks down not because of bad intent but because the authentication mechanism creates a workflow problem that shared logins appear to solve.

For organizations handling ITAR-controlled technical data on those same terminals, the exposure compounds. Every unverified session is a potential deemed export event if the terminal can be accessed by a non-US person. Without per-user, per-session authentication, there is no way to demonstrate that every access was by an authorized US person.

OLOID's passwordless IAM platform was built for exactly this environment. Using badge tap, biometrics, or session-scoped SSO with device trust verification, it enforces per-user, per-session authentication on shared devices across defense manufacturing and operational workplaces. A Zero Trust posture, where every session is independently verified regardless of device history, ensures no session persists beyond the authenticated individual's active presence. This satisfies AC.L2-3.1.1, 3.1.5, 3.1.10, and 3.1.11 simultaneously without adding friction to production workflows, and keeps the AU domain audit trail individual-level and assessor-ready.

The Deemed Export Risk Nobody Talks About

Under 22 CFR Part 120, allowing a non-US person to access ITAR-controlled technical data inside a US facility constitutes a deemed export. This is not a theoretical risk. Defense manufacturers with international workforces, engineering teams with foreign national contractors, and facilities where access is not tightly controlled by individual identity all carry deemed export exposure.

The access control mechanism that prevents deemed exports is the same one CMMC requires: individual authentication tied to a verified identity, with access decisions made at the account level based on documented authorization. A shared terminal login satisfies neither requirement.

Access Termination in High-Turnover Defense Facilities

AC.L2-3.1.1 and the IA domain both require that access is removed when a user is no longer authorized. In defense manufacturing and logistics, shift-based workforces and contractor populations turn over regularly. Manual deprovisioning tied to an IT helpdesk ticket cannot keep pace with same-day separations.

Standing access that outlives authorization is simultaneously a CMMC AC domain finding, an IA domain finding, and, under ITAR, a potential unauthorized access event if the separated individual retains access to ITAR-controlled systems.

CMMC Phase 2 Enforcement: What the November 2026 Deadline Means for Your Access Controls

Phase 1 enforcement has been active since November 10, 2025. Under Phase 1, CMMC Level 1 and Level 2 self-assessments are a condition of contract award in applicable DoD solicitations. SPRS scores are actively reviewed by contracting officers.

Phase 2 begins approximately November 10, 2026. Under Phase 2, third-party C3PAO certification becomes mandatory in applicable Level 2 solicitations. Organizations that are not certified when a Phase 2 solicitation appears cannot compete for that contract award.

What this means for access controls specifically:

• AC domain deficiencies that can be deferred to a POA&M under self-assessment may not be deferrable under C3PAO assessment
• Five-point AC requirements, including AC.L2-3.1.3 and AC.L2-3.1.5, cannot be POA&M-deferred under any circumstance
• C3PAO assessors will verify the technical implementation of access controls, not just policy documentation
• Individual-level audit logs must exist and must be reviewable as evidence of ongoing compliance
• CMMC Level 2 implementation from a low maturity baseline typically takes 9 to 18 months, meaning organizations that have not started remediation today are running out of runway before Phase 2

Common CMMC Access Control Failures: A Gap Analysis

Use this as a self-assessment. If any of these patterns exist in your organization, the compliance exposure is active:

• Shared credentials on CUI-accessible terminals: Simultaneous failure across AC.L1-3.1.1, AC.L2-3.1.5, and AU domain audit trail requirements. Individual attribution is impossible when multiple workers share a single login, and no passwordless or MFA control is in place to enforce per-session identity verification
• No session lock or automatic timeout on shared workstations: AC.L2-3.1.10 and 3.1.11 violations, commonly found in production floor and logistics environments, where workers step away without terminating sessions
• Terminated or transferred user accounts left active: AC and IA domain finding, one of the most cited gaps in C3PAO assessment prep reviews. Manual deprovisioning processes cannot keep pace with same-day separations in high-turnover defense facilities
• MFA not enforced on privileged accounts: IA domain requirement, now a non-negotiable for Level 2 certification. Privileged access to CUI systems without MFA is an immediate assessor finding with no POA&M deferral path
• SSO deployed without session-level scoping on shared devices: if a single SSO authentication event grants persistent CUI access across multiple users on the same terminal without re-authentication, it does not satisfy individual attribution requirements under AC.L1-3.1.1 and the AU domain
• CUI accessible without individual attribution in logs: AU domain failure, typically downstream of shared credentials or improperly scoped SSO. A log entry tied to a shared account or a single SSO session covering multiple workers is not individual-level attribution
• Zero Trust principles not applied to session management: Organizations that rely on network-level trust rather than per-session identity verification leave AC.L2-3.1.10 and 3.1.11 exposed. Every session must be independently verified, regardless of device or network history
• Non-US persons with unverified access to ITAR-controlled systems: Deemed export risk, outside CMMC scope but consistently surfaced during CMMC assessments as a connected compliance gap. Without per-user authentication, there is no technical proof that every access was by an authorized US person
• Least privilege not enforced at the role level: AC.L2-3.1.5 finding, most common in organizations that assign access by department rather than job function. Passwordless and biometric authentication enforces individual identity, but least privilege must be configured at the access governance layer independently‍
• SPRS score not current or not reflecting actual AC domain posture: Contracting officers review SPRS scores before award. An inaccurate score also creates False Claims Act exposure, as demonstrated by recent DOJ enforcement actions against defense subcontractors. A score that does not reflect actual implemented controls is both a contracting liability and a legal risk.

Maintaining CMMC Compliance as an Ongoing Program

CMMC compliance is not a certification you achieve and set aside. The ongoing obligations include:

• Annual self-assessment submission to SPRS for Level 1 and applicable Level 2 contractors
• Triennial C3PAO assessment for Level 2 certification
• POA&M management: deficiencies must be tracked, remediated, and closed within 180 days
• Periodic access reviews to catch least privilege drift and over-provisioned accounts
• System Security Plan updates whenever systems, personnel, or processes change materially
• Ongoing ITAR compliance reviews when workforce composition or data handling practices change

Organizations running defense manufacturing and operational environments find that maintaining a clean SPRS score and a current SSP is significantly harder when access controls rely on manual processes and shared credentials. OLOID removes the manual effort from per-session authentication, access deprovisioning, and audit log generation. Whether workers authenticate via badge tap, biometrics, or session-scoped SSO, every CUI access event is tied to a verified individual and logged automatically, giving C3PAO assessors the individual-level evidence trail they require from day one.

FAQs

1. What is the CMMC access control domain? 

The CMMC Access Control domain is one of 14 control families in CMMC 2.0, derived from NIST SP 800-171. It contains 2 requirements at Level 1 and 22 requirements at Level 2, governing who can access CUI systems, how they authenticate, and how sessions are managed and terminated.

2. What is the difference between CMMC and ITAR? 

CMMC governs how defense contractors protect CUI through cybersecurity controls verified by assessment. ITAR governs who is legally permitted to access defense articles and technical data on the US Munitions List. Most defense contractors handling sensitive technical data are subject to both, and their access control requirements significantly overlap.

3. What are the CMMC Level 2 access control requirements? 

CMMC Level 2 requires all 20 AC.L2 requirements from NIST SP 800-171, including least privilege, CUI flow controls, session lock and termination, remote access controls, and mobile device restrictions. These build on the two foundational Level 1 requirements covering basic user authorization and access restrictions.

4. What is a deemed export under ITAR? 

A deemed export occurs when a non-US person accesses ITAR-controlled technical data inside the United States. Organizations must verify the identity and citizenship status of every person accessing ITAR-controlled systems, making individual authentication a legal obligation under ITAR, not just a security best practice.

5. What happens if you fail a CMMC assessment? 

A failed C3PAO assessment results in a conditional CMMC status. Organizations have 180 days to close outstanding POA&M items and achieve certification. Knowingly submitting inaccurate SPRS scores also creates False Claims Act exposure, as demonstrated by a $4.6 million DOJ settlement against a defense subcontractor in December 2025.

6. Is shared login usage a CMMC violation? 

Yes. Shared credentials violate AC.L1-3.1.1, AC.L2-3.1.5, and AU domain requirements simultaneously, making individual attribution impossible.

7. Does ITAR require MFA? 

Not by name, but ITAR requires verified identity for every person accessing controlled technical data. MFA is the most defensible way to demonstrate that, especially on shared terminals.

8. Can shared terminals be CMMC compliant? 

Yes, if each session is authenticated to an individual user via badge tap, biometrics, or session-scoped SSO. A shared login cannot satisfy AC domain requirements regardless of other controls in place.