CA.2.158 Ongoing Security Assessment (CMMC Level 2)

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Source Discussion

Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.

Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.

Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.

NIST SP 800-53 provides guidance on security and privacy controls for systems and organizations. SP 800-53A provides guidance on developing security assessment plans and conducting assessments.

CMMC Clarification

As organizations implement security controls, they should avoid a “set it and forget it” mentality. The security landscape is constantly changing. Reassess existing controls at periodic intervals in order to validate their usefulness in organizational systems. This will let you determine if the control is still meeting the needs of the organization. Set the assessment schedule according to organizational needs. Consider regulatory obligations and internal policies when assessing the controls.

Typical outputs of the practice include:

  • documented assessment results;
  • proposed new controls, or updates to existing controls;
  • remediation plans; and
  • newly identified risks.
CMMC GUIDE FURTHER DISCUSSION

Avoid a “set it and forget it” mentality when implementing security controls. The security landscape is constantly changing. Reassess existing controls at periodic intervals in order to validate their effectiveness in your environment. Set the assessment schedule according to organizational needs. Consider regulatory obligations and internal policies when assessing the controls.

Outputs from security control assessments typically include:

  • documented assessment results;
  • proposed new controls, or updates to existing controls;
  • remediation plans; and
  • newly identified risks.

This practice, CA.2.158, which ensures determining security controls are implemented properly, promotes effective security assessments for organizational systems required by CA.3.161.

Examples

You are in charge of IT operations in your company. You ensure that security controls are achieving their objectives. After you implement the controls, you monitor their performance. You should perform this review as often as necessary to meet:

  • your organization’s risk planning needs; and
  • any regulations or policies you must follow. When you assess the controls, document what you find. When you find your controls are not meeting your requirements, you should act and make changes. You can:
  • propose updated or new controls;
  • develop a plan to improve the control; and
  • document new risks that you find. You should also document these actions.

References

NIST SP 800-171 Rev 1 3.12.1
NIST CSF v1.1 DE.DP-3
NIST SP 800-53 Rev 4 CA-2

AC.1.004 Publicly Posted Information (CMMC Level 1)

Control information posted or processed on publicly accessible information systems.

Source Discussion

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized to access nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

CMMC Clarification

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.

CMMC GUIDE FURTHER DISCUSSION

Do not allow FCI to become public – always safeguard the confidentiality of FCI by controlling the posting of FCI on company-controlled websites or public forums, and the exposure of FCI in public presentations or on public displays [d]. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information [a,c]. If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties [e].

Example

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing it to the public. You allow only certain employees to post to the website.

References

FAR Clause 52.204-21 b.1.iv

NIST SP 800-171 Rev 1 3.1.22

NIST SP 800-53 Rev 4 AC-22

MP.1.118 Media Destruction – Sanitation (CMMC Level 1)

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Source Discussion

This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.

Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization.

Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing FCI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for federal contract information. NIST SP 800-88 provides guidance on media sanitization.

CMMC Clarification

In this case, “media” can mean something as simple as paper, or storage devices like diskettes, disks, tapes, microfiche, thumb drives, CDs and DVDs, and even mobile phones. It is important to see what information is on these types of media. If there is Federal contract information (FCI)—information you or your company got doing work for the Federal government that is not shared publicly)—you or someone in your company should do one of two things before throwing the media away:

  • clean or purge the information, if you want to reuse the device; or
  • shred or destroy the device so it cannot be read.

See NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for more information.

CMMC GUIDE FURTHER DISCUSSION

“Media” refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important to know what information is on media so that you handle it properly. If there is FCI, you or someone in your company should either:

  • shred or destroy the device before disposal so it cannot be read [a] or
  • clean or purge the information, if you want to reuse the device [b].

See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.

Example

You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet. When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD). Rather than throw the CD in the trash, you make sure that it is shredded.

 

References

FAR Clause 52.204-21 b.1.vii

NIST SP 800-171 Rev 1 3.8.3

NIST CSF v1.1 PR.DS-3

CERT RMM v1.2 KIM:SG4.SP3

NIST SP 800-53 Rev 4 MP-6

 

AC.1.003 External/Remote Connections (CMMC Level 1)

Verify and control/limit connections to and use of external information systems.

Sources Discussion

External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of FCI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.

Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.

Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of FCI across an organization, the organization may have systems that process FCI and others that do not. And among the systems that process FCI, there are likely access restrictions for FCI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external to that system.

CMMC Clarification

Make sure to control and manage connections between your company network and outside networks, such as the public internet or a network that does not belong to your company. Be aware of applications that can be run by outside systems. Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information. You can also choose to limit how and when your network is connected to outside systems and/or decide that only certain employees can connect to outside systems from network resources.

CMMC GUIDE FURTHER DISCUSSION

Control and manage connections between your company network and outside networks. Outside networks could include the public internet, one of your own company’s networks that fall outside of your assessment boundary (e.g., an isolated lab), or a network that does not belong to your company [c,e]. Tools to accomplish include firewalls and connection allow/deny lists. External systems not controlled by your company could be running applications that are prohibited or blocked. Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones [b,d,f]. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources [e].

Example

You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done. Part of the proposal includes Federal Contract Information or FCI. FCI is information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

References

FAR Clause 52.204-21 b.1.iii

NIST SP 800-171 Rev 1 3.1.20

CIS Controls v7.1 12.1, 12.4

NIST CSF v1.1 ID.AM-4, PR.AC-3

CERT RMM v1.2 EXD:SG3.SP1

NIST SP 800-53 Rev 4 AC-20, AC- 20(1)

AC.1.002 User Access Restrictions (CMMC Level 1)

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Source Discussion

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

 

CMMC Clarification

Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs.

CMMC GUIDE FURTHER DISCUSSION

Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities [a]. Limit access to applications and data based on the authorized users’ role and responsibilities [b]. Common types of functions a user can be assigned are creating, read, update, and delete.

Examples

You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

 

References

FAR Clause 52.204-21 b.1.ii

NIST SP 800-171 Rev 1 3.1.2

CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4

CERT RMM v1.2 TM:SG4.SP1

NIST SP 800-53 Rev 4 AC-2, AC- 3, AC-17

AC.1.001 Basic Security Requirements (CMMC Level 1)

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Source Discussion

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems.

Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization.

This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses [sic] non-privileged) are addressed in requirement 3.1.2 (AC.1.002).

CMMC Clarification

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.

CMMC GUIDE FURTHER DISCUSSION

Identify users, processes, and devices that are allowed to use company computers and can log on to the company network [a]. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process [b]. Limit the devices (e.g., printers) that can be accessed by company computers [c]. Set up your system so that only authorized users, processes, and devices can access the company network [d,e,f].

This practice, AC.1.001, controls system access based on user, process or device identity. AC.1.001 leverages IA.1.076, which provides a vetted and trusted identity for access control required by AC.1.001.

Examples

Example 1

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

References

FAR Clause 52.204-21 b.1.i

NIST SP 800-171 Rev 1 3.1.1

CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4

CERT RMM v1.2 TM:SG4.SP1

NIST SP 800-53 Rev 4 AC-2, AC- 3, AC-17

AU ACSC Essential Eight