Access Control Level 2

CMMC level 1 is a foundational level for CMMC Cyber security compliance.  It forms the initial building block for all other levels of cyber maturit

AC.2.005: Provide privacy and security notices consistent with applicable CUI rules.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems.  System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist.  Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon.  Where necessary, posters or other printed materials may be used in lieu of an automated system banner.  Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.

CMMC CLARIFICATION

Every system has legal information about user privacy and security.  A system-use notification banner displays the legal requirements of using the systems.  Users are required to click to agree to the displayed requirements of using the system each time they logon to the machine.  You can use this implicit agreement in the civil and/or criminal prosecution of an attacker that violates the terms.

Discuss legal notification requirements with your organization’s legal counsel.  This will ensure that they meet all applicable requirements.  You should inform the user that:

  • you may monitor, record, and subject to audit any information system usage;
  • you prohibit unauthorized use of the information system;
  • you may subject unauthorized use to criminal and civil penalties; and
  • use of the information system indicates consent to monitoring and recording.

Example

You are setting up IT equipment for your organization.  You have worked with legal counsel to draft a notification.  The system displays the required security and privacy information when anyone logs on to your organization’s machines.  You ensure that this notification displays to all users of all of the organization’s machines.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.9 • NIST SP 800-53 Rev 4 AC-8
AC.2.006: Limit use of portable storage devices on external systems.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.  Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case.  Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not.  Among the systems that process CUI there are likely access restrictions for CUI that apply between systems.  Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.

CMMC CLARIFICATION

A portable storage device is a system component that you can insert and remove from a system.  You use it to store data or information.  Examples of portable storage devices include: 

  • floppy disks;
  • compact/digital video disks (CDs/DVDs);
  • flash/thumb drives;
  • external hard disk drives; and
  • flash memory cards/drives that contain nonvolatile memory.

You can put this practice in place two ways:

  • set up a policy that describes the usage restrictions of these devices or
  • establish technical means, such as configuring devices to work only when connected to a system to which they can authenticate.

Example

Your organization has a usage restriction policy.  It states that users cannot use portable storage devices in external information systems without management approval.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.21
  • CIS Controls v7.1 13.7, 13.8, 13.9
  • NIST CSF v1.1 ID.AM-4, PR.PT-2 NIST SP 800-53 Rev 4 AC-20(2)

AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes.  The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions.  Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege.  Organizations also apply least privilege to the development, implementation, and operation of organizational systems.  Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges).

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems.  Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions.  Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

CMMC CLARIFICATION

You should apply the principle of least privilege to all users and processes on all systems.  This means you assign the fewest permissions necessary for the user or process to accomplish their business function.  Also, you:

  • restrict user access to only the machines and information needed to fulfill job responsibilities; and
  • limit what system configuration settings users can change, only allowing individuals with a business need to change them.

Example

As the IT administrator for your organization, you create accounts.  You apply the fewest privileges necessary for the user or process to complete their task.  This means you assign everyone a basic user role.  This prevents a user from modifying system configurations.  You also assign privileged access only to users and processes that need it, such as IT staff.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.5
  • CIS Controls v7.1 14.6
  • NIST CSF v1.1 PR.AC-4
  • CERT RMM v1.2 KIM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-6, AC-6(1), AC-6(5)
  • UK NCSC Cyber Essentials
AC.2.008: Use non-privileged accounts or roles when accessing nonsecurity functions.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

This requirement limits exposure when operating from within privileged accounts or roles.  The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and nonprivileged account.

CMMC CLARIFICATION

A user with a privileged account can perform more tasks and access more information than a person with a non-privileged account.  This means that tasks performed when using the privileged account can have a greater impact on the system.  You restrict administrator use of privileged accounts.  Only those who perform a function that requires more access have a privileged account.  This reduces the risk of unintentional harm to systems and data.

Example

As the IT administrator for your organization, you have two user accounts.  One is a nonprivileged account, which you use when performing non-privileged duties.  These tasks include sending or receiving emails.  The other is a privileged account, which you use only when performing administrative functions.  Examples include troubleshooting a device or setting up new user accounts.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.6
  • CIS Controls v7.1 4.3, 4.6
  • NIST CSF v1.1 PR.AC-4
  • NIST SP 800-53 Rev 4 AC-6(2)
  • UK NCSC Cyber Essentials
AC.2.009: Limit unsuccessful logon attempts.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

This requirement applies regardless of whether the logon occurs via a local or network connection.  Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm).  If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components.  Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.

CMMC CLARIFICATION

Consecutive, unsuccessful logon attempts may indicate malicious activity.  You can mitigate these types of attacks by limiting the number of unsuccessful logon attempts.  There are many ways to do this.  Having three consecutive, unsuccessful logon attempts is a common setting.  Organizations should set this number at a level that fits their risk profile.  Fewer unsuccessful attempts provide higher security.

After the system locks an account, it has several options to unlock it.  The most common is to keep the account locked for a predefined time.  After that time, the account unlocks.  Another option is to keep the account locked until an administrator unlocks it.

Example

You attempt to log on to your work computer.  You mistype your password three times in a row.  You call your IT help desk or administrator.  The administrator tells you your account is locked.  He explains that all passwords lock after three unsuccessful logon attempts.  This limits the effectiveness of brute-force and other password attacks.  He tells you he can unlock it, or you can wait five minutes and the account will unlock automatically.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.8
  • NIST CSF v1.1 PR.AC-7
  • NIST SP 800-53 Rev 4 AC-7
AC.2.010: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences.  Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level).  Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.

Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.

CMMC CLARIFICATION

You can set session locks on your system.  A user can enable the lock.  Also, the system can enable it automatically after a preset time, for example, from one to five minutes.  Session locks are a quick way to prevent unauthorized use of the systems without having a user log off.

A locked session shows pattern-hiding information on the machine screen.  This masks the data on the display.

Example

You are the IT administrator in your organization.  You notice that employees leave their offices without locking their computers.  Sometimes their screens display sensitive company information.  You remind your coworkers to lock their systems when they walk away.  You set all machines to lock after five minutes of inactivity.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.10
  • CIS Controls v7.1 16.11
  • NIST SP 800-53 Rev 4 AC-11, AC-11(1)
AC.2.011: Authorize wireless access prior to allowing such connections.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions.  Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies.  Wireless networks use authentication protocols which provide credential protection and mutual authentication.

CMMC CLARIFICATION

You should base the use of wireless technologies on approved guidelines from management.  These guidelines may include the following:

  • types of devices, such as corporate or privately-owned equipment;
  • configuration requirements of the devices; and
  • authorization requirements before granting such connections.

Example

Your company is implementing a wireless network at their headquarters.  You work with management to draft policies about the use of the wireless network.  You allow only company-approved devices that contain verified security configuration settings.  Also, you write usage restrictions to follow for anyone who wants to use the wireless network.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.16
  • CIS Controls v7.1 15.1, 15.10
  • NIST CSF v1.1 PR.PT-4
  • CERT RMM v1.2 TM:SG2.SP2
  • NIST SP 800-53 Rev 4 AC-18
AC.2.013: Monitor and control remote access sessions.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet).  Remote access methods include dial-up, broadband, and wireless.  Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections.  The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks.  VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code.

Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.

CMMC CLARIFICATION

Remote access connections pass through untrusted networks and should therefore not be trusted without proper security controls in place.  All remote access should implement approved encryption.  This ensures the confidentiality of the data.  Check connections to ensure that only authorized users and devices are connecting.  Monitoring may include tracking who is accessing the network remotely and what files they are accessing during the remote session.

Example

You work from remote locations, such as your house or a client site and need access to your company’s network.  The IT administrator issues you a company laptop with a VPN software installed which is required to connect to the network remotely.  After you connect to the VPN, you must accept a privacy notice which states that the company’s security department may monitor your connection.  They do this through the use of a network-based Intrusion Detection System (IDS).  They also review audit logs to see who is connecting remotely and when.  Next you see the message “Verifying compliance.” This means the system is checking your device to ensure it meets the established requirements to connect.  The administrator explains that after your machine connects to the network using the VPN, you can have confidence that your session is private because your company implements approved encryption.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.12
  • CIS Controls v7.1 12.11, 12.12
  • NIST CSF v1.1 PR.AC-3, PR.PT-4 CERT RMM v1.2 TM:SG2.SP2
  • NIST SP 800-53 Rev 4 AC-17(1)
AC.2.015: Route remote access via managed access control points.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.

CMMC CLARIFICATION

You can limit the number of remote access control points.  This reduces the attack surface for organizations.  Route all remote access sessions through as few points as possible.  This:

  • allows for better visibility into the traffic coming into the network;
  • simplifies network management; and
  • increases the ability to monitor and control the connections.

Example

You are the IT administrator for a company with many locations. Several employees at different locations need to connect to the network while working remotely. Each location has its own connection to the internet. Since each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location. All remote traffic comes to one location. You have to monitor the traffic on only one device, rather than one per location. The company will not have to buy as much equipment.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.14
  • CIS Controls v7.1 15.5, 15.10
  • NIST CSF v1.1 PR.AC-3, PR.PT-4 CERT RMM v1.2 TM:SG2.SP2
  • NIST SP 800-53 Rev 4 AC-17(3)
AC.2.016: Control the flow of CUI in accordance with approved authorizations.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information.  Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content.

Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems.  Flow control is based on characteristics of the information or the information path.  Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches         or        using   document       characteristics).                Organizations            also     consider         the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.

Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies.

Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services.  Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements.  Such transmission services may represent sources of increased risk despite contract security provisions.  NIST SP 800-41 provides guidance on firewalls and firewall policy.  SP 800-125B provides guidance on security for virtualization technologies.

In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems.  Organizations consider mandating specific architectural solutions when required to enforce specific security policies.  Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

CMMC CLARIFICATION

Flow control regulates where and how information can flow.  Firewalls and proxy servers can be used to control traffic flow.  Typically, organizations will have a firewall between the internal network and the internet.  Often multiple firewalls are used inside a network to create zones to separate sensitive data, business units or user groups.  Proxy servers can be used to break the connection between multiple networks.  All traffic entering or leaving a network is intercepted by the proxy, preventing direct access between networks.  This can have security and performance benefits.  Additionally, organizations should ensure that all sensitive information is encrypted before being transmitted over the internet.

Example

You configure a proxy device on your company’s network.  Your goal is to better mask and protect the devices inside your network.  After you configure the device, information does not flow directly from the internal network to the internet.  The proxy system intercepts the traffic.  Then, the proxy analyzes it to determine if it is legitimate.  If it is, the system allows it on the network and sends it to its destination.

REFERENCES

  • NIST SP 800-171 Rev 1 3.1.3
  • CIS Controls v7.1 12.1, 12.2, 12.5, 12.8, 13.3, 14.1, 14.6, 14.7
  • NIST CSF v1.1 ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
  • CERT RMM v1.2 TM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-4 UK NCSC Cyber Essentials