CMMC Access Control

Access Control is one of the 17 domains under CMMC that requires compliance with practices. Every Contractor looking to comply with CMMC, must ensure compliance to each domain. This article cover Access Control in detail.

Introduction to CMMC Access Control Domain

Cybersecurity Maturity Model Certification validates cybersecurity protection measures for companies under Defense Industrial Base (DIB). The latest version of CMMC encompasses 3 maturity levels. The maturity level of cybersecurity standards increases as you move from Level 1 towards Level 3. And each level covers several domains and practices as laid down by DoD.  

This article touches upon the first domain defined in CMMC 2.0 Level 1: Access Control.  

Access control is one of the foundational aspects of CMMC compliance. If you have an asset, you need to protect it with the right people having access to it for the right amount of time.  

We will be exploring depth about Access Control in the following manner:  

What is Access Control? 

The focus of the Access Control domain is on authorized access versus unauthorized access. Access control policies control access between authorized users and the organization's assets.  

As defined in CMMC 2.0, there are four Practices for CMMC Level 1 Access Control and eighteen Practices for CMMC Level 2. At the time of this writing, the DoD is still working on defining Practices for CMMC Level 3.   

Access Privileges

When we speak of access privileges, organizations may choose them by account types and other attributes. Examples of account types include individual, shared, group, anonymous, guest, etc. Examples of other attributes include restrictions on time-of-day, day-of-week, and point-of-origin. Separation of duties and applying principles of least privilege address the potential for abuse of authorized privileges and help to reduce the risk of malicious activity without collusion.  

Session Management

Limiting unsuccessful logon attempts helps prevents potential denial of service. Pattern-hiding displays such as screen savers, session lockout, and terminating a user session after a pre-determined amount of inactivity protect your sensitive data, including CUI (Controlled Unclassified Information).  

Remote Access

Post Covid-19 pandemic, many organizations have moved towards and continue to have remote staff. Ensuring remote staff use properly provisioned VPN to connect to organizational information systems via a managed access control affirms confidentiality and integrity. Effective monitoring of these remote access helps detect and protect against cyber threats.  

Privileged Access

Privileged commands allow individuals to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals cannot execute such commands freely, with the potential to do severe or catastrophic damage to organizational systems.  

Mobile Devices  

Suppose an organization allows its employees to access its information system via mobile devices. In that case, a solution such as Mobile Device Management (MDM) and Mobile Application Management (MAM) can help protect sensitive information. MDM intends to optimize the functionality and security of mobile devices within the enterprise while simultaneously protecting the corporate network. While MDM is more focused on protecting the mobile device and the network communication to the corporate network, MAM is a software that secures and enables IT control over enterprise applications on end users' corporate and personal smartphones and tablets.

Encryption

Additionally, CMMC requires organizations to employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms.

How to enforce Access Control in your organization?

The domain requirements serve as a boundary between the users and assets of your organization that are in the scope of the CMMC. Meeting these requirements is the first step in properly securing your assets and working towards proper access control within your organization.  

For CMMC Level 1, organizations should self-assess and comply with the four Practices of Access Control domain. For CMMC Level 2, organizations will need to dig deeper into all the eighteen Practices and ensure compliance through implementation and documentation. Below are some of the guidance for Level 2:  

  • Access control policy  
  • Procedures addressing account management  
  • System Security Plan (SSP)  
  • List of active system accounts and the name of the individual associated with each account  
  • Notifications or records of recently transferred, separated, or terminated employees  
  • List of conditions for group and role membership  
  • System monitoring records  
  • Visitor logs  
  • Restricted areas for CUI storage and handling  

How do you comply with CMMC Access Control requirements?  

Access Control is an important domain that constitutes access privileges. The self-assessment of a CMMC practice and the assessment performed by a Certified Assessor result in one of three possible findings: 'MET', 'NOT MET', or 'NOT APPLICABLE'.

Self-Assessment of CMMC Level-1 Practices

To demonstrate CMMC Level 1 compliance, the contractor will need to perform a self-assessment based on the CMMC 2.0 Level 1 Self-Assessment Guide and will need a finding of 'MET' or 'NOT APPLICABLE' on all the 17 Level-1 practices, including Access Control.  

Assessment of CMMC Level 2 and Level 3

To demonstrate CMMC Level 2 or 3 compliance, the contractor will need to undergo a C3PAO or a Government audit and will need a finding of 'MET' or 'NOT APPLICABLE' on all the 110 practices of Level-2. A contractor can achieve a CMMC certification for an entire enterprise network, for a particular segment(s), or for a specific enclave, depending upon the scope of CMMC assessment.  

For CMMC Level, a finding of 'NOT MET' means you are not compliant.  

How does InterSec ensure 100% compliance with CMMC?

InterSec Inc provides advisory, consulting, and Managed Security Services to the service providers. We have helped many defense contractors in industries ranging from Professional Services, Health, and Manufacturing to comply with NIST 800-171, CMMC, FedRAMP, HITECH compliance, etc.). Our certified Registered Practitioners and Certified Assessors team can help you effectively comply with CMMC.  

You may already have some security measures to address the requirements outlined in Access Control, but if you're unsure how they stand up to the latest CMMC 2.0 standards and certification expectations, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process. Complying with these Access Control practices means you're one step closer to the next domain and, even better, a step closer to your CMMC compliance.  

If you need help with CMMC compliance, you can schedule a 30-minute free consultation with our experts.