Limit Information System Access

Limiting information system access is a fundamental security practice that focuses on account management.  The Cybersecurity Maturity Model Certification (CMMC) covers system access with the Access Control domain and AC.1.001 and AC.1.002 practices. This control will prevent unauthorized access to controlled unclassified information (CUI).  This control can be implemented using a combination of policy and technical mechanisms.  Access control policies and procedures are used to control access between users and the information or devices you are protecting. 

You should identify and select the types of accounts needed to support your business.  Account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.  New user accounts should require an approval and follow the organization’s access control policy and procedures.  An organization could create User Authorization Request forms that lists:

  • user requesting access
  • information system
  • information being accessed
  • business purpose
  • training requirements
  • user account name
  • approving signatures

An account manager should be assigned. Account managers need to be notified when an account is no longer needed, a user is terminated or transferred, and when the need-to-know changes.  Access authorization should be based on a valid need-to-know, reason to use the system, and any other business purposes. 

Temporary and/or emergency accounts are commonly used in a production environment.  These accounts should be configured to automatically expire after a defined period.  The account manager can also manually audit the system for inactive and temporary accounts no longer needed.  This process should be outlined in your access control and auditing policies. Shared/Group accounts should only be permitted when necessary.  The shared/group account credentials need to be terminated when a member leaves the group. 

An account manager could create a simple spreadsheet that lists all of the user accounts and the names of individuals associated with each account.  The list should also include disabled accounts with the names of individuals associated with each account and the dates the accounts were disabled.  This list needs to be updated and audited frequently in accordance with your continuous monitoring plan. 

Monitoring the use of accounts will help to detect inappropriate account usage and access violations.  Examples of atypical usage includes, accessing systems during non-work hours, or attempting to access information they are not authorized to access.  This overlaps with the Audit and Accountability domain of controls.

Conduct an assessment to verify if system access is limited to only authorized users, processes acting on behalf of users, and devices.  Test your processes for managing system accounts and the mechanisms used to implement your account management.  The following are objects you can use to assess your account management:

  • Access control policies
  • Account management procedures
  • System security plans
  • System configuration settings
  • System design documentation
  • Lists of active system accounts and the names of individuals associated with each account
  • Notifications of recently terminated, transferred employees
  • Lists of conditions for group and role membership
  • Lists of recently disabled system accounts along with the name of the individual associated with each account
  • Access authorization records
  • Account management compliance reviews

It is important to identify and limit who can access your information system.  Creating methods to document and track system access authorization will protect CUI, and devices like printers, and computers from unauthorized use.  Implementing an account management plan and assigning an account manager will help you identify and control system access. 

DoD Announces New Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense is planning to roll out a new cybersecurity framework for the Defense Industrial Base (DIB) sector. The Cybersercurity Maturity Model Certification (CMMC) will focus on protecting controlled unclassified information (CUI) within the supply chain.

CMMC will contain multiple maturity levels that range from basic cybersecurity hygiene to advanced. The required CMMC level will be identified in RFP sections L and M and used as a go/no go decision.

The first version of the CMMC will be available in January 2020. Industry should begin to see the CMMC requirements in Requests for Information in June 2020.

The CMMC will be a combination of various cybersecurity standards like NIST SP 800-53, NIST SP 800-171, ISO 27001, ISO 27032, AIA NAS9933 and others.

DoD contractors will need to coordinate with an accredited and independent third party commercial certification organization to receive a CMMC audit. The contractor will be awarded certification at the appropriate CMMC level after demonstrating to the assessor and certifier compliance with the CMMC.

One of the most exciting developments is that cybersecurity is now an allowable cost. DoD contractors will be reimbursed for costs associated with meeting the CMMC requirements.

The CMMC is currently being developed and more information will be released in the upcoming months. Remedia Security will be providing a detailed analysis of the draft CMMC and how DoD contractors can prepare for meeting the requirements.