It is usually easier to understand how the NTP can be secured with the help of an ACL by means of a configuration example.

Configuration example:

! Core configuration
ntp update-calendar
! update hardware clock (certain hardware only, i.e. 6509s)
ntp server
! a time server you sync with
ntp peer
! a time server you sync with and allow to sync to you
ntp source Loopback0
! we recommend using a loopback interface for sending NTP messages if possible
! NTP access control
ntp access-group query-only 1
! deny all NTP control queries
ntp access-group serve 1
! deny all NTP time and control queries by default
ntp access-group peer 10
! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20
! permit NTP time sync requests from a select set of clients
! access control lists
access-list 1 remark utility ACL to block everything
access-list 1 deny any
access-list 10 remark NTP peers-servers sync to
access-list 10 permit
access-list 10 deny any
access-list 20 remark Hosts-Networks allow to get
access-list 20 permit
access-list 20 deny any