Are you prepared to continue to progress on your Cyber security Maturity Model Certification(CMMC) journey? The fifth domain in the CMMC Level 1 requirements is System and Communications Protection. The primary focus of this practice is to establish system access requirements. In this post, we will build on our knowledge of the domains and practices of Level 1, with a focus on the second practice in System and Communications Protection, SC.1.176.
What is a CMMC Assessment?
A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21).
What is System and communication Protection – SC.1.176?
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2 (AC.1.002)
What are the SC.1.176 Assessment Objectives and Objects?
Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals).
SC.1.176 assessment objectives: Publicly accessible system components are identified. Subnetworks for publicly accessible system components are physically or logically separated from internal networks
SC.1.176 assessment objects: A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.
What are the Assessment Methods for SC.1.176?
Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for SC.1.176
Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards to SC.1.176a C3 PAO may examine System and Communications Protection policy. Procedures addressing boundary protection. System security plan. List of key internal boundaries of the system. System design documentation. Boundary protection hardware and software. System configuration settings and associated documentation.
Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO may interview System or network administrators. Personnel with information security responsibilities. System developers. Personnel with boundary protection responsibilities.
Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for SC. 1.175 are Mechanisms implementing boundary protection capability.
How Do I know if I’m Complying to the SC.1.176 Practice?
System and communication Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better you’re standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.