Are you prepared to continue to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? The second domain in the CMMC Level 1 requirements is Identification and Authentication. Its primary focus lies on granting access to authenticated entities, as well as verifying the identify of those entities. In this post, we will build on our knowledge of the domains and practices of Level 1, continuing our discussion with the second practice of Identification and Authentication, IA.1.077, which is all about authenticating and verifying entities.  

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is Identification and Authentication – IA.1.077? 

The second practice in the Identification and Authentication domainIA.1.077 has a requirement to “Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems”. It builds on the previous practice, IA.1.076, which focused on identifying said users, processes, and devices. The approach to understanding this is quite simple, you need to verify or authenticate every user, process, or device BEFORE access is granted to any system or sensitive information. Another focus on this requirement will be on “Authenticator management”, which is where you issue and revoke access as needed, especially if it is on a provisional basis. 

The first approach to addressing the requirements for this practice is to establish authentication systems on your organizational systems, devices, and processes, which is done through assigning unique identifiers as discussed in the previous practice (i.e., usernames). This has to be coupled with a hard-to-guess password, and your organization should have set standards to dictate what these passwords areNew devices usually have no passwords or default username and passwords, so the first step should always be to change that information immediately. You also need to moderate the access, ensuring only the proper information is accessible by the entity accessing your system. Revoking access, as aforementioned, when it is no longer required will also be an important step towards achieving the requirements for this practice. 

What are the IA.1.077 Assessment Objectives and Objects? 

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

IA.1.077 assessment objectives: The identity of each user is authenticated or verified as a prerequisite to system access, the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access, and the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access .

IA.1.077 assessment objects: A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.  

What are the Assessment Methods for IA.1.077? 

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for IA.1.077: 

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. For IA.1.077, C3PAOs might examine Identification and Authentication policy, list of system authenticator types, or change control records associated with managing system authenticators.

Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. While interviewing or achieving clarification for the IA.1.077 practice, a C3PAO might interview personnel with information security responsibilities, personnel with account management responsibilities, or your system administrators.

Test: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for IA.1.077 are susceptible to testing, as well as organizational processes for uniquely identifying and authenticating users. 

How Do I Know if I’m Complying to the IA.1.077 Practice?

Identification and Authentication is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better your standing towards compliance, and take you one step forward in achieving CMMC Level 1 certification.