Access Control Level 2
CMMC level 1 is a foundational level for CMMC Cyber security compliance. It forms the initial building block for all other levels of cyber maturit
CMMC level 1 is a foundational level for CMMC Cyber security compliance. It forms the initial building block for all other levels of cyber maturit
AC.2.005: Provide privacy and security notices consistent with applicable CUI rules.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.
CMMC CLARIFICATION
Every system has legal information about user privacy and security. A system-use notification banner displays the legal requirements of using the systems. Users are required to click to agree to the displayed requirements of using the system each time they logon to the machine. You can use this implicit agreement in the civil and/or criminal prosecution of an attacker that violates the terms.
Discuss legal notification requirements with your organization’s legal counsel. This will ensure that they meet all applicable requirements. You should inform the user that:
Example
You are setting up IT equipment for your organization. You have worked with legal counsel to draft a notification. The system displays the required security and privacy information when anyone logs on to your organization’s machines. You ensure that this notification displays to all users of all of the organization’s machines.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.
CMMC CLARIFICATION
A portable storage device is a system component that you can insert and remove from a system. You use it to store data or information. Examples of portable storage devices include:
You can put this practice in place two ways:
Example
Your organization has a usage restriction policy. It states that users cannot use portable storage devices in external information systems without management approval.
REFERENCES
AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges).
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.
CMMC CLARIFICATION
You should apply the principle of least privilege to all users and processes on all systems. This means you assign the fewest permissions necessary for the user or process to accomplish their business function. Also, you:
Example
As the IT administrator for your organization, you create accounts. You apply the fewest privileges necessary for the user or process to complete their task. This means you assign everyone a basic user role. This prevents a user from modifying system configurations. You also assign privileged access only to users and processes that need it, such as IT staff.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and nonprivileged account.
CMMC CLARIFICATION
A user with a privileged account can perform more tasks and access more information than a person with a non-privileged account. This means that tasks performed when using the privileged account can have a greater impact on the system. You restrict administrator use of privileged accounts. Only those who perform a function that requires more access have a privileged account. This reduces the risk of unintentional harm to systems and data.
Example
As the IT administrator for your organization, you have two user accounts. One is a nonprivileged account, which you use when performing non-privileged duties. These tasks include sending or receiving emails. The other is a privileged account, which you use only when performing administrative functions. Examples include troubleshooting a device or setting up new user accounts.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful logon attempts may be implemented at the operating system and application levels.
CMMC CLARIFICATION
Consecutive, unsuccessful logon attempts may indicate malicious activity. You can mitigate these types of attacks by limiting the number of unsuccessful logon attempts. There are many ways to do this. Having three consecutive, unsuccessful logon attempts is a common setting. Organizations should set this number at a level that fits their risk profile. Fewer unsuccessful attempts provide higher security.
After the system locks an account, it has several options to unlock it. The most common is to keep the account locked for a predefined time. After that time, the account unlocks. Another option is to keep the account locked until an administrator unlocks it.
Example
You attempt to log on to your work computer. You mistype your password three times in a row. You call your IT help desk or administrator. The administrator tells you your account is locked. He explains that all passwords lock after three unsuccessful logon attempts. This limits the effectiveness of brute-force and other password attacks. He tells you he can unlock it, or you can wait five minutes and the account will unlock automatically.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday.
Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.
CMMC CLARIFICATION
You can set session locks on your system. A user can enable the lock. Also, the system can enable it automatically after a preset time, for example, from one to five minutes. Session locks are a quick way to prevent unauthorized use of the systems without having a user log off.
A locked session shows pattern-hiding information on the machine screen. This masks the data on the display.
Example
You are the IT administrator in your organization. You notice that employees leave their offices without locking their computers. Sometimes their screens display sensitive company information. You remind your coworkers to lock their systems when they walk away. You set all machines to lock after five minutes of inactivity.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication.
CMMC CLARIFICATION
You should base the use of wireless technologies on approved guidelines from management. These guidelines may include the following:
Example
Your company is implementing a wireless network at their headquarters. You work with management to draft policies about the use of the wireless network. You allow only company-approved devices that contain verified security configuration settings. Also, you write usage restrictions to follow for anyone who wants to use the wireless network.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code.
Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.
CMMC CLARIFICATION
Remote access connections pass through untrusted networks and should therefore not be trusted without proper security controls in place. All remote access should implement approved encryption. This ensures the confidentiality of the data. Check connections to ensure that only authorized users and devices are connecting. Monitoring may include tracking who is accessing the network remotely and what files they are accessing during the remote session.
Example
You work from remote locations, such as your house or a client site and need access to your company’s network. The IT administrator issues you a company laptop with a VPN software installed which is required to connect to the network remotely. After you connect to the VPN, you must accept a privacy notice which states that the company’s security department may monitor your connection. They do this through the use of a network-based Intrusion Detection System (IDS). They also review audit logs to see who is connecting remotely and when. Next you see the message “Verifying compliance.” This means the system is checking your device to ensure it meets the established requirements to connect. The administrator explains that after your machine connects to the network using the VPN, you can have confidence that your session is private because your company implements approved encryption.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.
CMMC CLARIFICATION
You can limit the number of remote access control points. This reduces the attack surface for organizations. Route all remote access sessions through as few points as possible. This:
Example
You are the IT administrator for a company with many locations. Several employees at different locations need to connect to the network while working remotely. Each location has its own connection to the internet. Since each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location. All remote traffic comes to one location. You have to monitor the traffic on only one device, rather than one per location. The company will not have to buy as much equipment.
REFERENCES
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.
Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies.
In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
CMMC CLARIFICATION
Flow control regulates where and how information can flow. Firewalls and proxy servers can be used to control traffic flow. Typically, organizations will have a firewall between the internal network and the internet. Often multiple firewalls are used inside a network to create zones to separate sensitive data, business units or user groups. Proxy servers can be used to break the connection between multiple networks. All traffic entering or leaving a network is intercepted by the proxy, preventing direct access between networks. This can have security and performance benefits. Additionally, organizations should ensure that all sensitive information is encrypted before being transmitted over the internet.
Example
You configure a proxy device on your company’s network. Your goal is to better mask and protect the devices inside your network. After you configure the device, information does not flow directly from the internal network to the internet. The proxy system intercepts the traffic. Then, the proxy analyzes it to determine if it is legitimate. If it is, the system allows it on the network and sends it to its destination.
REFERENCES