If your organization wants to achieve Cybersecurity Maturity Model Certification (CMMC), you need to understand Access Control.
Not just what it is, but the process. And the mindset. And the preparations. And all the expectations from an audit perspective that you need to be prepared for.
On your path to CMMC, here are some helpful insights on Access Control that will make your journey much more efficient.
Don't want to read the article? Watch the full recording below.
Be sure to register here for the Cybersecurity for the Rest of Us webinar series!
TABLE OF CONTENTS
- CMMC Nomenclature and Assumptions
- CMMC Supplemental Guidance
- Individual Practices
- Mapping Tables
- The Details on NIST 800-53r4/5
- Supplemental Guidance on Individual Access Controls
- How to Stay Organized
- Do You Need Help?
CMMC Nomenclature and Assumptions
Practices vs. controls:
CMMC uses the term “practices” where most frameworks use the term “controls.” There is a collection of 110 practices.
5-level vs. 3-level model
CMMC originally had a five-level model. They're now on CMMC 2.0, which uses a three-level model. (They got rid of levels two and four.)
Certification and self-attestation
Certification and self-attestation come up often. Department of Defense (DoD) decides who has to be certified and who can self-attest.
Plan of Action and Milestones
While DoD allows Plan of Action and Milestones (POA&M), they have not put out any specific guidance on how many (or of what severity) they have to be. So, aim for no POAMs.
CMMC Supplemental Guidance
CMMC has two types of resources—general resources and access control family specific resources— they call supplemental guidance.
Things like FIPs 199, 200 NIST 800-53, even ISO standard 27001, are general resources. You will be referencing them over and over to:
- Define systems.
- Describe what the controls mean.
- Describe the detail behind each control.
The access control family specific resources are the components of each family. In access control, there are cryptographic standards and NIST special publication standards.
The key takeaway here is that, when you look at a control where the practice states a requirement in one or two sentences, it's likely not as simple as those two sentences make it sound.
When you actually look at these documents, they're going to give a lot more detail into the types of situations and scenarios that could arise using the same control. And then you must document and be able to provide evidence of how you're mitigating them.
If you bypass these, you will likely give yourself a much higher score when you do your self-attestation for your initial assessment.
Then, when the time comes to get audited, or when you sign up for one of these programs, when you provide evidence of anything that you've attested to, you're likely going to fall short. And at that point, you really don't want to be behind from a budgetary or timeline perspective.
Above you can see the practices that are found just within access control. And if you were to look at any one of these, they may be very simple.
For example, 3.1.8 limit unsuccessful log on attempt, you could say, "I'm only going to allow three attempts within 15 minutes and then the account locks out, and must be unlocked by an admin." Simple, right?
You're still going to want to reference the supplemental information to make sure they haven't provided guidance, because 171 and CMMC here are not very prescriptive. But when they call out and reference 800-53 and other documents, some of those on some controls are far more prescriptive.
Also, they might have sub-components that have more than just a single thing that you must do. Again, 3.1.8 may seem straightforward, but when you start talking about things like limiting access (3.1.1 and 3.1.2, for example) one of the biggest problems is understanding what's going to come into play afterward? What's within scope?
For example, you may look at your organization and say, "I'm worried about active directory and Microsoft 365. And I'd make sure that I limit at that access, and here's how I do it."
An auditor may walk in and say, "There are 12 other major systems here, you haven't done that." So, while you are satisfying requirements for a particular technology, you are not satisfying them for everything that's within the scope—so you could fail that control.
CMMC Compliance Involves Mapping Tables
You must understand how to map and satisfy 800-171 requirements to other documents to achieve CMMC compliance.
If you're looking at 171, for example (above), it has mapping tables inside of it. Go down to 3.1 and 3.2, and notice that on the left side it's stating that you have access control, AC2, 3 and 17, and it breaks down their names. They are within 853.
So, this is the mapping scheme.
If you were to go look at 800-53, whether it's revision four or the new revision five, you'll see a section on AC2, 3 and 17 that's going to have a lot of requirements. When they break that down, you'll see that there's a lot more to it than the one sentence in 171.
And again, here's where an auditor could come by and say, "You're not meeting the intent of this control, and here's why." They could essentially flag you on missing components.
On the right side (the little red box), you see that not only are they calling out something like access control number six least privilege, but there are two that have parentheses, AC-6(1) and AC-6(5).
These are additional controls—enhancements—that you now must meet, namely all of AC-6 and then two of these enhancements. There could be a list of 10 enhancements, but for this particular practice they only called out two of them.
Nonetheless, if it's mapped, you can expect your auditor to have the same mapping. And when they come in, they're going to want to see that AC-6, AC-6(1) and AC-6(5) being met.
Now in some cases, that may be as simple as whether what you're doing satisfies that across the board for all systems and all processes. If not, you're going to get a score of “Partially Satisfies or “Fails” for that control.
The Details on NIST SP 800-53r4/5
This is the control detail for NIST SP 800-53r4/5. There are two columns (above), but this is all one scrolling column within the 800-53 regulation. You can see that you have to meet A-K.
Now there will invariably be situations where, for specific controls, you go in there and you say, "Well this doesn't apply to me."
For example, if you're in a cloud environment and you're talking about wireless access points, there may be some non-applicable components. After all, where are you putting a wireless access point in a cloud environment?
But an auditor will come in, and while they understand what you're telling them, and they understand your argument and your logic for why you think something should not apply, they still must follow the letter of the law.
If this document is written and says you should be looking for X, Y and Z, auditors are going to come expecting an explanation and evidence of those precise things.
If that occurs, think outside the box a bit. You might find yourself looking at your corporate infrastructure to say, "Well I know I'm being audited on a cloud infrastructure where I can't put a wireless access point … but my corporate environment has them and people could access the corporate environment that way and can use that as a jumping point to the cloud."
Again, while it doesn't make sense from an audit perspective, it's a way for an auditor to check the box so you can both move on with your day.
So, as you're going through these, put some time and energy into anything that you think is not applicable, and make sure you can address it. Don’t bet on the auditor agreeing it’s irrelevant.
Supplemental Guidance on Individual Access Controls
One other thing to know about each control is that, when you look at the family, such as AC access control, and then you look at the actual control (AC2, 3, 4), each one includes supplemental guidance.
This supplemental guidance is to help you understand the control and how it applies to your organization.
But, as you can see (above), supplemental guidance is simply one big paragraph with references to other related controls.
So, it's not as easy as just saying, "I can just read this and know what it means." You may have to read it, go look at some controls, read the supplemental guidance for those, and so on.
How to Stay Organized when Dealing with CMMC and Access Control
One of the biggest challenges you will face is overcoming the hurdle of making sense of all this.
As the person who's responsible for meeting these controls, you must document everything, so you know what you have to do, have a way to reference it quickly, and have a way to record it.
But what if you have 110 controls to meet … and if you're mapping them against 100 or more controls within 800-53 … and each one of those has two, three, five or even 10 sub-bullets with supplemental guidance and then dozens of additional control enhancements?
You might have five, six or eight things that you have to consult, and we're only talking about 800-53. We aren't talking about any of the supplemental guidance, such as FIPS 199 and 200.
How do you document that so that you don't miss anything? This is where your strategy comes into place. A solid access control strategy will clarify your processes and policies, explain and assign tracking, roles and responsibilities.
It also ensures that when you task something to someone and they create a policy or process, they achieve all of the bullets and sub-bullets that are in 800-53 and 171.
Do You Need Help Achieving CMMC Compliance?
There are a lot of moving parts—and tasks—involved in achieving CMMC compliance for access control. How do you know it’s time to look for outside help?
- You're an organization that doesn't have a mature security program that's been evaluated under other frameworks, such as ISO 27001 and FSMA.
- You've never gone through the audit process.
- You don't have somebody on the staff who's really good at diving into controls and the expectations from an auditor.
If that sounds like you, we strongly recommend you get assistance whether from Ntiva or another trusted, expert partner. It's better to invest a bit upfront and do it right, then to keep swinging and missing because the steps weren’t complete.
Your goal is to pass the first time around. Let us know if we can help you with that.