These pages cover the CMMC Level 2 practices that I’ve seen cause the most problems in real assessments. Most of them aren’t technically complex. They’re just hard to articulate when you’re sitting across from an assessor.
Each page follows the same structure: what the assessor is actually looking for, what a realistic SSP definition looks like, how to present your evidence, what gets flagged, and how shared responsibility works if you use an MSP or MSSP.
I’m adding new practices regularly.
AC.L2-3.1.1
AC.L2-3.1.1: Authorized Access Control
Limit system access to authorized users, processes acting on behalf of authorized users, and devices, and explain how you prove it.