CMMC: Assessing Access Control (AC) AC.1.001
The Cybersecurity Maturity Model Certification (CMMC) will soon require third-party assessments of contractors’ compliance with CMMC before they bid for and/or win any US Department of Defense projects. A CMMC certification will require defense contractors to comply with certain mandatory cybersecurity practices, processes, procedures, and capabilities. Access Control (AC) will be crucial for thwarting new and emerging threats from cyber adversaries.
Adhering to the Cybersecurity Maturity Model Certification (CMMC) requirements helps organizations improve their cybersecurity posture and take necessary actions to reach the desired cybersecurity maturity level. However, the CMMC assessment can prove cumbersome for any organization as they mature in their digital transformation journey. Hence, implementing the Access Control (AC) mechanism becomes the key to ensure that they have the required safeguards in place, which will satisfy the Defense Industrial Base compliance requirements.
Defense contractors hold sensitive defense information passing through their information systems, networks, employees, contractors, third-party services providers, and others. While authorized access is crucial for employees and other users in your computing environment, it is also vital to monitor and control what the authorized users or processes do. A month-by-month of cyber incidents report from CSIS for 2020 shows how various rogue nation-states continue to be involved in cyber espionage, DDoS, and various other cyber-attacks targeting the US. Thus, it has become paramount for every defense enterprise in the US to have well-defined access control management policies, procedures, and standards to balance the cybersecurity requirements necessary for safeguarding the organization’s valuable information assets and ensure that it meets the requirements of CMMC compliance. In this article, we discuss AC.1.001 in detail.
Summarizing AC.1.001: Establish System Access Requirements
AC.1.001 control is concerned with limiting information system access to authorized users, the processes acting on behalf of authorized users, and devices. Thus, it controls the activities of active entities (i.e., users or the processes acting on behalf of users) and passive entities (i.e., files, records, devices, etc.) in the information system (National Institute Standards and Technology (NIST) Standard Publication 800-171 deals with AC.1.001 in detail). Commonly referred to as NIST 171, this document discusses the access enforcement mechanism that an organization can employ at the application or service level to provide a higher information security level. AC.1.001 ensures that unauthorized users and devices do not access the organization’s internal or external information systems.
Solutions Available That Support AC.1.001
Achieving compliance with AC.1.001 access controls are necessary to prevent fraudulent transactions and activities that can affect the organization’s finances and reputation. The following risk mitigation measures support AC.1.001:
Solution-1: The principle of the least privileges is prevalent. A prescribed solution or control measure ensures that the employee at the lower level of the hierarchy must not be able to perform the duties of the supervisory staff.
Solution-2: The supervisory staff can delegate the activities that the subordinates or the employees at the lower hierarchy level perform. Under such circumstances, the control mechanism requires authorization from the supervisor.
Solution-3: The control mechanism also does not allow the individual with the highest access levels to initiate and complete any transaction without dual authorization. Thus, if the individual disables or enables any user, the actions need clearance from a supervisor. Therefore, AC.1.001 limits access to authorized users and processes and monitors what process the authorized user can or cannot do.
Example: A Defense Enterprise Having Multiple Departments
Assuming a defense contractor has multiple departments, multiple levels of authorization, and each employee has a specific username and password to access its information systems and network. The system administrator is responsible for assigning each employee’s username and access levels. The access level depends on the employee hierarchy, authorization level, and whether they handle confidential, Federal Contract Information (FCI), or Controlled Unclassified Information (CUI).
- Any transactions depending on the sensitivity and criticality of information and a specific threshold level may require double approval from one or more personas or departments to prevent accidental or intentional information disclosure.
- The person with the highest authority in a specific department unit will have a higher access level than the supervisory staff. Besides the regular authorization duties, this individual will have the power to temporarily or permanently disable an employee user-id if any suspicion arises. It acts as a controlling measure where another employee with malicious intentions cannot misuse the absent employee’s credentials.
- It is also necessary to permanently disable employees who have left the organization. Besides the regular computer nodes, a branch office will have hardware like printers and scanners. AC.1.001 can ensure that employees have access to specific printers that are connected to their official functions. All employees don’t need to have access to all printers, scanners, and other hardware.
Similarly, AC.1.001 also has provisions whereby the system administrator can disable specific connectivity ports like USB drives camera’s, and other external devices. It ensures that employees cannot transfer data from the official computer systems to unapproved third-party devices.
Review Method for Testing AC.1.001
Any organization which wants to achieve the Level 1 practice maturity in access controls (AC) of CMMC must implement the following access control practices:
AC.1.001: Limiting information system access to authorized users, processes acting on behalf of authorized users, and devices
AC.1.002: Limiting information system access to the types of transactions and functions that authorized users are permitted to execute
AC.1.003: Verify and control /limit connections to and use of external information systems
AC.1.004: Control information posted or processed on doesn’t publicly accessible information systems
Because Level 1 maturity includes assessing any maturity processes, hence there are no institutionalization requirements. If an organization implements the above four mentioned practices, they are deemed to perform the access control process at the Level 1 maturity.
Thus, an organization implementing AC.1.001 would include practices like basic cyber hygiene. Also, organizations cannot self-assess to apply for DoD contracts. A CMMC third-party assessment organization auditor (C3PAO) must visit the enterprise to provide an outside expert view on their cybersecurity program.
All organizations doing or wanting to do business with the Department of Defense in any way should be Defense Federal Acquisition Regulation Supplement (DFARS) as well as NIST 800-171 compliance.
Implementing AC.1.001 Access Control
Given below are a few tips that small businesses can take to implement the AC.1.001 access control requirement. Although we suggest working closely with a cybersecurity firm, these easy suggestions will guide them in the right direction.
Requirement text: “Limit the access to information systems to authorized users, processes, or devices (which include other information systems), which act on behalf of authorized users.“
- Restrict log-on activity, use strong passwords and PINs.
- Identify the people who can use the organizational systems.
- Create their personal accounts for logging in.
- Educate employees not to share or write their passwords.
- Log out or lock the systems when not in use.
- When an employee leaves the organization, ensure that their accounts are disabled.
Access management is paramount for any organization and is equally applicable to people, processes, and technology. People form the bedrock of any organization, and they become even more critical when it comes to the defense sector. On the other hand, processes and technology pose new challenges as there has been an unprecedented competition amongst nation-states trying to gain technological superiority. Adequate access controls help organizations monitor employees or processes having access to information assets and ensure that they do not get excessive power to abuse the system to the organization’s detriment. Protecting confidential, CUI, and FCI from leaking out in the hands of adversaries is at the core of the intent of the CMMC certification. It helps defense contractors enhance their reputation and capabilities in maintaining the required information security maturity levels. Besides being DFARS compliant, CMMC compliance ensures that you are eligible to bid and maintain Defense business and dramatically enhances your probability of winning.
Start the Road to CMMC Compliance with Hyper Vigilance
Interested in learning more about CMMC and how to start protecting your business? The cybersecurity experts at Hyper Vigilance are ready to help you get started toward becoming CMMC compliant. Learn more about how to get a Readiness Inspection or Contact us today.
- CMMC APPENDICES, Mar 18, 2020, from https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf
- Identity and Access Management Policy, Apr 01, 2019, from http://www.bu.edu/policies/identity-and-access-management/
- NIST SP 800-171 Supplemental Guidance, from https://stackarmor.com/nist800-171/
- What is DFARS and NIST SP 800-171? from https://www.cybersaint.io/the-definitive-guide-to-dfars-compliance-and-nist-sp-800-171