Ensure Compliance with CMMC AC.L1-3.1.20 – External Connections

One way to ensure compliance with CMMC AC.L1-3.1.20 – EXTERNAL CONNECTIONS is to establish a process for reviewing and approving all external connections. This process should involve a risk assessment of the potential connection, as well as a review of any security measures that are in place.

To start, it is important to have a clear understanding of what is considered an “external connection.” This includes any connection to a network or system that is outside of the organization’s own network or system. This includes connections to cloud services, external websites, and even connections to vendors or contractors.

Once the external connections have been identified, the next step is to assess the potential risks associated with each connection. This can be done through a variety of methods, such as conducting a security assessment or working with a third-party vendor to perform a risk assessment.

Once the risks have been identified, it is important to implement security measures to mitigate those risks. This may include implementing firewalls, using encryption, or implementing authentication and access controls.

In addition to implementing security measures, it is also important to have a process in place for monitoring and maintaining the security of external connections. This may involve regularly reviewing the security measures in place and making updates as needed, as well as conducting periodic testing to ensure that the security measures are effective.

Finally, it is important to have a process in place for managing and updating the security measures for external connections. This may involve working with third-party vendors or contractors to ensure that they are also complying with security standards.

By following these steps, businesses can ensure compliance with CMMC AC.L1-3.1.20 – EXTERNAL CONNECTIONS and protect their sensitive information from potential threats.

How to implement CMMC configuration management control CM.L2-3.4.2– SECURITY CONFIGURATION ENFORCEMENT

The CMMC (Cybersecurity Maturity Model Certification) is a framework that helps organizations protect their sensitive information from cyber threats. One of the key components of the CMMC is the configuration management control, which ensures that systems are properly configured and maintained to prevent unauthorized access or breaches.

The CM.L2-3.4.2 control specifically deals with the management of configuration items (CIs) and change management processes. Here are some steps you can take to ensure that your organization is compliant with this control:

  1. Identify and document all CIs in your organization. This includes hardware, software, and other assets that make up your information systems. Make sure to include detailed information about each CI, including its purpose, configuration, and dependencies on other CIs.
  2. Establish a change management process. This should include a clear set of procedures for requesting, reviewing, and approving changes to CIs. Make sure to involve the appropriate stakeholders in this process, including IT personnel and business owners.
  3. Implement a configuration management database (CMDB). This is a central repository for all information about your CIs, including their current configuration and any changes made over time. The CMDB should be accessible to authorized personnel and should be regularly updated to reflect any changes to the CIs.
  4. Conduct regular audits of your CIs and change management processes. This will help you identify any weaknesses or areas for improvement, and ensure that you are in compliance with the CM.L2-3.4.2 control.

By following these steps, you can ensure that your organization is compliant with the CMMC configuration management control and better protected against cyber threats.

Limit Information System Access

Limiting information system access is a fundamental security practice that focuses on account management.  The Cybersecurity Maturity Model Certification (CMMC) covers system access with the Access Control domain and AC.1.001 and AC.1.002 practices. This control will prevent unauthorized access to controlled unclassified information (CUI).  This control can be implemented using a combination of policy and technical mechanisms.  Access control policies and procedures are used to control access between users and the information or devices you are protecting. 

You should identify and select the types of accounts needed to support your business.  Account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.  New user accounts should require an approval and follow the organization’s access control policy and procedures.  An organization could create User Authorization Request forms that lists:

  • user requesting access
  • information system
  • information being accessed
  • business purpose
  • training requirements
  • user account name
  • approving signatures

An account manager should be assigned. Account managers need to be notified when an account is no longer needed, a user is terminated or transferred, and when the need-to-know changes.  Access authorization should be based on a valid need-to-know, reason to use the system, and any other business purposes. 

Temporary and/or emergency accounts are commonly used in a production environment.  These accounts should be configured to automatically expire after a defined period.  The account manager can also manually audit the system for inactive and temporary accounts no longer needed.  This process should be outlined in your access control and auditing policies. Shared/Group accounts should only be permitted when necessary.  The shared/group account credentials need to be terminated when a member leaves the group. 

An account manager could create a simple spreadsheet that lists all of the user accounts and the names of individuals associated with each account.  The list should also include disabled accounts with the names of individuals associated with each account and the dates the accounts were disabled.  This list needs to be updated and audited frequently in accordance with your continuous monitoring plan. 

Monitoring the use of accounts will help to detect inappropriate account usage and access violations.  Examples of atypical usage includes, accessing systems during non-work hours, or attempting to access information they are not authorized to access.  This overlaps with the Audit and Accountability domain of controls.

Conduct an assessment to verify if system access is limited to only authorized users, processes acting on behalf of users, and devices.  Test your processes for managing system accounts and the mechanisms used to implement your account management.  The following are objects you can use to assess your account management:

  • Access control policies
  • Account management procedures
  • System security plans
  • System configuration settings
  • System design documentation
  • Lists of active system accounts and the names of individuals associated with each account
  • Notifications of recently terminated, transferred employees
  • Lists of conditions for group and role membership
  • Lists of recently disabled system accounts along with the name of the individual associated with each account
  • Access authorization records
  • Account management compliance reviews

It is important to identify and limit who can access your information system.  Creating methods to document and track system access authorization will protect CUI, and devices like printers, and computers from unauthorized use.  Implementing an account management plan and assigning an account manager will help you identify and control system access. 

DoD Announces New Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense is planning to roll out a new cybersecurity framework for the Defense Industrial Base (DIB) sector. The Cybersercurity Maturity Model Certification (CMMC) will focus on protecting controlled unclassified information (CUI) within the supply chain.

CMMC will contain multiple maturity levels that range from basic cybersecurity hygiene to advanced. The required CMMC level will be identified in RFP sections L and M and used as a go/no go decision.

The first version of the CMMC will be available in January 2020. Industry should begin to see the CMMC requirements in Requests for Information in June 2020.

The CMMC will be a combination of various cybersecurity standards like NIST SP 800-53, NIST SP 800-171, ISO 27001, ISO 27032, AIA NAS9933 and others.

DoD contractors will need to coordinate with an accredited and independent third party commercial certification organization to receive a CMMC audit. The contractor will be awarded certification at the appropriate CMMC level after demonstrating to the assessor and certifier compliance with the CMMC.

One of the most exciting developments is that cybersecurity is now an allowable cost. DoD contractors will be reimbursed for costs associated with meeting the CMMC requirements.

The CMMC is currently being developed and more information will be released in the upcoming months. Remedia Security will be providing a detailed analysis of the draft CMMC and how DoD contractors can prepare for meeting the requirements.