This is the first NIST Control. Has your company set this up along with the corresponding evidence to confirm implementation?
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Application services that are installed on system components along with their login IDs are identified in the inventory spreadsheet (3.1.1[b])
3.1.1[a]: authorized users are identified.
3.1.1[b]: processes acting on behalf of authorized users are identified.
3.1.1[c]: devices (and other systems) authorized to connect to the system are identified.
3.1.1[d]: system access is limited to authorized users.
3.1.1[e]: system access is limited to processes acting on behalf of authorized users.
3.1.1[f]: system access is limited to authorized devices (including other systems).
Does the company use passwords?
Does the company have an authentication mechanism?
Does the company require users to log on to gain access?
Are account requests authorized before system access is granted?
Does the company maintain a list of authorized users, defining their identity and role and sync with system, application, and data layers?