Only approved people, processes, and devices can access your CUI systems.
What it actually means
This is the front door. Every account, service, and device that can reach your CUI environment must be one you deliberately approved — and you must be able to show the list. In practice that means a central identity provider, a documented request-and-approval step before access is granted, and only managed/enrolled devices allowed to connect.
Pass or fail — an assessor needs a "yes" to each
- There is an authoritative list of authorized users, processes (service accounts), and devices for the CUI environment.
- Access is granted only after a documented request and approval.
- Only approved/enrolled devices can connect; unknown devices are blocked.
- The authorized list is reviewed periodically and reconciled against HR/onboarding.
What to have ready
- Access-control policy + the authorized-user/device list
- Screenshots of the identity provider (e.g., Entra ID) showing accounts and conditional-access/device rules
- A sample approved access request
- Device-enrollment (MDM) inventory
Where teams trip up
- Shared or generic logins ('frontdesk', 'admin') that aren't tied to a person
- No record of who approved access, or a stale user list
- Personal/unmanaged devices able to reach CUI
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →