Are you ready to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? If so, Access Control (AC) is the first domain you must tackle as part of CMMC level 1 requirements. Its practices regulate access between active entities (users or user processes) and passive entities (devices and records). In this post, we continue to break down key information on the next two practices in Access Control, AC.1.003 and AC.1.004, through a CMMC assessment context so you know exactly what to expect.

What is a CMMC Assessment?

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21).

What is Access Control – AC.1.003?

The third practice of CMMC level 1 in the Access Control domain, AC.1.003, states the requirement to “verify and control/limit connections to and use of external information systems”. This practice discusses external systems, specifically focusing on controlling and maintaining the connection between your company network and external networks and devices.

To briefly define what external systems are, external systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also focuses on your connection to external systems, including the internet in public domains, or a network that does not belong to your company. You need to ensure all of these are regulated and controlled, especially when working with and handling Federal Contract Information (FCI).

To work towards implementing this practice, you need to manage when your company network is accessed externally. This can involve limiting your network access when it is accessed externally, or giving only certain employees permissions to access outside systems using company networks. You need to also make sure that external networks cannot access protected information, so implementing measures to avoid this is important. Having employees work with only company laptops that have been appropriately protected is a great way to ensure that any FCI or organizational information is not at risk of being compromised.

What is Access Control – AC.1.004?

The final practice of CMMC level 1 in the Access Control domain, AC.1.004, states the requirement to “control information posted or processed on publicly accessible information systems”. In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement will focus on organizational systems that are accessible to the public, and the management of the content available on it.

To implement this practice, you have to specially focus on what the public has access to. Ensuring that you have specific individuals authorized to post CUI on publicly accessible networks is the first step. Next, continuously monitoring the information that is posted, and constantly reviewing the information prior to posting it publicly is important. Your goal is to ensure that sensitive information, including FCI, which may include CUI, to never become public, as that poses a serious security risk.

What are AC.1.003 and AC.1.004 Assessment Objectives and Objects?

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals).

  • AC.1.003 assessment objective: You must ensure connections to external systems are identified and verified, the use of external systems is identified and verified, and the connections and uses of external systems are controlled/limited.
  • AC.1.004 assessment objective: Individuals authorized to post or process information on publicly accessible systems and procedures to ensure FCI is not posted or processed on publicly accessible systems are identified. You need to ensure a review process is in place prior to posting of any content to publicly accessible systems, and that content posted is reviewed to verify that it does not contain FCI. If found, have mechanisms to remove and address the improper posting of FCI.

Regarding objects for both practices, a C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.

What are the Assessment Methods for AC.1.001 and AC.1.002?

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for AC.1.003 and AC.1.004:

  • Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. For AC.1.003 and AC.1.004, C3PAOs can examine your access control policy, procedures addressing the use of external systems and publicly accessible content, and your system security plan. They can analyze your configuration settings and any documentation related to these settings or your system design. The assessors may also look at your account management documents, system audit logs and records, or security awareness training methods. Inspections on mechanisms implementing terms and conditions of external systems or management of publicly accessible content may also ensue.
  • Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. During an assessment of your access control practices for AC.1.003 and AC.1.004, a C3PAO may interview Personnel with information security responsibilities, system or network administrators, or personnel with responsibilities for defining terms and conditions for use of external systems/managing publicly accessible information.
  • Test: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for AC.1.003 and AC.1.004 are susceptible to testing.

How Do I Know if I’m Complying to AC.1.003 and AC.1.004 Practices?

Access control is an important domain that constitutes access privileges. You may already have some security measures in place to address AC.1.003 and AC.1.004 objectives, but you’re unsure how they stand up to an assessment examination or test. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Complying with these Access Control practices means you’re one step closer to the next domain, and even better, a step closer to your CMMC Level 1 certification.