Solutions - CMMC Level 2
Access control your CMMC assessor can review.
Regulated Access turns controlled-environment access into structured intake, reviewer-driven decisions, screening at submit, and evidence packs for every case.
- Structured intake
- Reviewer decisions
- Evidence packs
Decision before access
Intake, screening, review, approval gate, and evidence export stay on one record.
Control families
Evidenced by product surfaces — not a substitute for assessment
- AC-3
Access Enforcement
Approval gate enforced server-side; unresolved screening risk blocks access.
- PE-3
Physical Access Control
Per-request host and site; site-scoped approvals do not authorize other sites.
- AU-2
Audit Events
Every privileged action emits one audit row through a strict, PII-free schema.
- AU-12
Audit Generation
Append-only, hash-chained log. Updates and deletes blocked by trigger.
- IA-2
Identification & Authentication
Org-configurable MFA policy with assurance-level gating before dashboard access.
Regulated Access is not a CMMC assessment tool, has not been validated against any practice set, and does not generate C3PAO-ready artifacts. This map describes which control surfaces the product evidences in day-to-day use.
AC.3.017 and AC.2.006
What CMMC Level 2 access control requires
CMMC Level 2 AC practices require organizations to define who may access CUI environments, document the basis for that access, and maintain the evidence to support it. The assessment objective is that decisions are intentional, documented, and auditable — not managed by spreadsheet or email thread.
The challenge is that most access decisions happen under time pressure: a contractor starts next week, a visitor is scheduled for Thursday. Regulated Access gives the access control team a structured intake form, a reviewer queue with decision states, and an evidence pack exportable on demand — before, during, or after an assessment.
Product surface
The workflow, mapped to CMMC
Step 1
Structured intake
Subject identity, citizenship, host and site, access scope, and supporting documents captured in a six-step form. Drafts autosave. Passport plaintext is single-use — the server returns last-4 only after submission.
Step 2
Reviewer-driven decisions
Cases route to a reviewer queue with open / in-review / decision states. Reviewers add notes, request information, issue conditional approvals, and set time-based expirations. Self-review is blocked server-side.
Step 3
Screening at submit
The screening workflow is built around OFAC SDN, BIS Entity/Denied Person/Unverified/MEU, and DDTC debarred source families. Real provider activation remains deployment-gated; when configured, unresolved matches block approval through the database gate, not the UI.
Step 4
Evidence packs
Each case exports a JSON manifest, an optional PDF summary, and an optional ZIP package. The manifest covers the full decision chain — intake, reviewer actions, screening results, and audit events — without raw PII.
AC.3.021 — Audit
Audit trail your assessor can read
Every action in Regulated Access appends one row to a hash-chained audit log. Rows are append-only by design — updates and deletes raise an exception even from elevated service contexts. Each row carries a SHA-256 link to the previous row in the same tenant, so a tampered or deleted entry breaks the chain detectably.
The audit schema carries no PII: names, emails, passport fields, document filenames, IP addresses, and user-agent strings are banned columns. What the audit log does carry: who acted, in what role, on which case, what the outcome was, and when — plus the hash chain to prove the record has not been touched.
IA.3.083 — Authenticators
MFA for reviewer and admin roles
Regulated Access supports per-org MFA policy configuration. When your policy requires a verified second factor, the product redirects unverified sessions to the MFA enrollment page before any product surface is reachable. TOTP is supported with any standards-compliant authenticator app. The gate evaluates the session assurance level against the configured policy — no identity provider is exempt by default.
Scope
Where this fits in your CMMC program
SecurePoint Regulated Access supports CMMC Level 2 evidence preparation by giving the access control team a structured workflow and a self-contained evidence record for every access decision — the kind of documentation a reviewer can read without needing a spreadsheet decoder.
The product itself is access-decision infrastructure, not a CMMC assessment tool. C3PAO-ready assessment artifacts and full boundary packages are produced through a customer-specific compliance mapping engagement. See the security page for current deployment scope.
See it on a sandbox tenant.
We'll walk through the intake wizard, screening gate, reviewer console, and evidence pack export on a live sandbox. Bring a real access scenario — foreign national contractor, third-party researcher, or facility visitor — and we'll model it.