In my last column, there was a discussion on the new compliance requirement for businesses working with the Department of Defense: Cybersecurity Maturity Model Certification (CMMC).
The CMMC model is designed to protect the covered defense information that is in all DoD contracts and the covered defense information that may be produced by the defense contractor. The model consists of five levels with each higher level incorporating increasing levels of security. The goal is for all 300,000 companies in the defense industrial base to be audited and certified compliant by 2026. As this requirement moves forward by the end of 2021, the goal is for approximately 7,500 companies to be audited and certified. The CMMC compliance certification will be a baseline requirement; with the appropriate certification level, there will be access to contracts; without certification, a company will be deemed unqualified.
This article is focused on the CMMC Level 1 access control practice requirements. It is important to understand that system security requires a proactive approach; a step in that direction is taking control of the system and controlling access. The CMMC Level 1 requirement has four of the 17 practices focused on access control. The CMMC model practices are spread across 17 domains, and it is access control that has the second greatest number of practices with 26 out of 171 total practices.
The first practice in access control is to uniquely identify all system users. A foundation for system access control is identity management, which is the ability to uniquely identify all system users; this would include people and processes. One needs to consider access in terms of layers; first, there is basic access to the system, second, there is access to specific applications and processes, there is also user access and administrative access, and layers of administrative access. The larger the system, the more users, the greater the layers of access control. Even in less complex systems or systems with one user, there is still the requirement for access control. One of the principals in system security is the "principle of least privilege." The rule states that there should be no universal access and that all users and processes are to be restricted to only the applications and tools that they need to do their job. This rule can only be met if each user is uniquely identified. This is a system set up function, where the system administrator requires a unique identifier for each system user.
The second access control practice requirement is to limit access to only what the user needs for their job or function. This means limiting system access to only the transactions and the system functions that the user is permitted to execute. This, too, is related to the principle of least privilege, where users or system access is limited to the resources needed for their job. This means there is no universal access and no group access, meaning no one user or identity has access to all software and administrative rights. An implied requirement is that for sole computer users, there should be at least two accounts: one for a general user with access to applications, and a second restricted to the administrative role with only access to administrative functions. This, too, is a setup function, where the system administrator sets up permissions based on roles, and then assigns a role, or roles, to each system user. It is the role that allows access to applications and data.
The third practice is to verify and control connections and the use of external information systems. In order to accomplish this practice requirement, there are a couple of things that should be done. The first is to establish configuration management control over the system, which is to set a policy to restrict system access to only approved devices. Configuration management is the means by which you control what is on the system and what is added or removed from the system. Configuration management should outline the bring-your-own-device policy; this will set the rules for how non-company-controlled devices access the system. These are rules that set how cell phones, tablets, and computers are prohibited from joining or are allowed to join the system. The goal is to control access to the information management system. Just as you would not allow a random person to enter and walk around your home, you do not want random users accessing your system. Configuration management is how access is verified, and how connections are controlled; it is constraining access, and setting access control rules and requirements, all through configuration control.
The fourth practice in Level 1 access control is to control the information posted or processed on publicly accessible information systems. This is a common-sense control; here, the goal is to prohibit the public disclosure of federal contract information. It is also the prohibition of the public disclosure of company-controlled information to include your company's financial information, personnel information, and the like. There are implied tasks needed to be accomplished to meet this practice. The information has to be identified as controlled information, that is federal contract information or company-controlled information. In addition, employees need instructions or a policy that outlines what actions are prohibited, like disclosing company financial information to the public. The recommendation is for an acceptable use policy, one that outlines the activities that are prohibited; it also serves notice to the users that they are subject to monitoring. The goal is to reduce the fog in terms of information security, what is clearly understood by one person may not be so for another. The effort to mark and segregate all controlled information, and to have the handling of controlled information written into policy will go a great length in removing the confusion in terms of information handling.
Access control is foundational in terms of securing the company's information management system. For example, the practices outlined in identity management allows for role-based access control; it provides the ability to monitor and audit user behavior. As with all tasks in the CMMC model, there are the specified tasks or practice requirements that need to be accomplished. However, to accomplish these tasks, there are also implied tasks; these are tasks that need to be accomplished before the primary task can be completed. An example is a requirement to mark or identify controlled information; if the information is not marked, then to the casual user, it is not controlled.
The CMMC Level 1 requirements underpin the following four levels of the CMMC model. They are also the baseline requirement for all federal government contracts. Meeting these 17 practice requirements in terms of the CMMC model is meeting the requirement for basic cyber-hygiene. In a general sense, basic cyber-hygiene, like physical hygiene, are the steps and precautions that one takes to keep healthy. In terms of computers and computer systems, these are the fundamentals in terms of ensuring the confidentiality of your information, the integrity of data, and ensuring the availability of your information management system.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171 Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.