The CMMC Countdown, Part 4
This high-level review of the five-point controls required for a conditional certificate will wrap up the CMMC action plan.
The CMMC Final Rule became effective on December 16, 2024. We will finish reviewing the remaining five-pointers to ensure we can obtain a conditional CMMC certificate if we cannot achieve a 110 score.
CMMC Action Plan continued
PS.L2-3.9.2
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Determine if:
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
Consider creating onboarding, offboarding, and transfer procedures. These procedures should define how all access is revoked upon termination and how some access is granted and revoked during a transfer. For a transfer, personnel should gain access to CUI when they transfer into a role that requires it. Conversely, access to CUI should be revoked when they transfer to a role where CUI access is unnecessary.
PE.L2-3.10.1
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Determine if:
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals
Consider having a separate CMMC environment, as mentioned in previous posts. You could show your access list if you have an access control system, like a badge reader. Consider writing a procedure that describes how the access list is reviewed and updated. Consider maintaining an inventory list of the CUI devices in your CMMC environment and writing a procedure for updating that list. You should be able to leverage your procedures from the AC domain to show how access is granted to these devices. The inventory list should also identify the networking equipment and security systems and how access to them is restricted to the personnel responsible for maintaining them, such as the IT team.
PE.L2-3.10.2
Protect and monitor the physical facility and support infrastructure for organizational systems.
Determine if:
[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.
We can show the access logs generated by the access control system identified in PE.L2-3.10.1. If you rely on a physical key and a video system, like Ring, consider creating a key distribution log, filling out the log to check out the key, and collecting the video logs. That way, you can show who is authorized to lock and unlock the door and show video surveillance at the door.
CA.L2-3.12.1
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Determine if:
We can show the access logs generated by the access control system identified in PE.L2-3.10.1. If you rely on a physical key and a video system like Ring, consider creating a form where keys are checked in and out and showing the video logs.
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
The CMMC controls must be certified by a C3PAO every three years. Within those three years, a yearly SPRS score must be submitted. Consider doing a quarterly self-assessment for one-fourth of the CMMC controls or a yearly one for one-third. You will have self-assessed each control after one year or three years, whichever frequency you choose. Consider defining the schedule in the SSP. Keep a formal record of each self-assessment and consider having them signed by your leadership. Document any findings in the POAM.
CA.L2-3.12.3
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Determine if:
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
Consider setting up monitoring tools that automatically assess your organization's security posture. You can use tools like Microsoft Defender XDR, Microsoft Intune, Nessus, and Greenbone.
SC.L2-3.13.1
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Determine if:
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.
Consider creating a drawing that describes your organizational network. An external system boundary could be your on-site firewall and VPN connection for remote users. Your internal system boundaries could include any VLANs that segregate system resources. The monitoring could be syslog events sent to a SIEM. The controls could be your firewall rules and network ACLs. The protection could be SSL and VPN encryption. Consider implementing web content filtering as an additional layer.
SC.L2-3.13.2
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Determine if:
[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are identified;
[c] systems engineering principles that promote effective information security are identified;
[d] identified architectural designs that promote effective information security are employed;
[e] identified software development techniques that promote effective information security are employed; and
[f] identified systems engineering principles that promote effective information security are employed.
Consider defining the system architecture for your CMMC environment and a list of security principles and requirements. The principles should define how environmental changes will maintain its security posture. The requirements should be testable and verifiable. For example, a new cloud environment must have a valid FedRAMP or SOC 2 Type II certification, and a firewall and VPN must have valid FIPS 140-3 certification.
SI.L2-3.14.1
Identify, report, and correct system flaws in a timely manner.
Determine if:
[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.
Consider defining a procedure with SLAs. For example, the IT team will:
- Subscribe to the CISA Cybersecurity Alerts & Advisories.
- Monitor the email inbox where the emails are sent at least twice a week
- Create a remediation task for any relevant vulnerabilities.
- Low CVE vulnerabilities will be due in six months
- Whereas critical CVEs will be due in 30 days.
SI.L2-3.14.2
Provide protection from malicious code at designated locations within organizational systems.
Determine if:
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.
Install antivirus software on every machine that contains CUI. Also, consider adding a security subscription to your cloud storage so it performs antivirus scans on your files stored in the cloud.
SI.L2-3.14.3
Monitor system security alerts and advisories and take action in response.
Determine if:
[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.
Consider subscribing to the CISA Cybersecurity Alerts & Advisories. Your security tools, like Microsoft Defender XDR, might have advisory alerts, but you must configure them. As mentioned, you will want to create remediation tasks to show you are responding to advisories.
AU.L2-3.3.5
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Determine if:
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.
Consider setting up a SIEM and sending all your logs there. The SIEM should provide you with reports that can help detect unwanted activity. Review the reports periodically. Consider a monthly review since quarterly reviews may be too long, and weekly reviews might be too often and tiring.
CM.L2-3.4.5
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
Determine if:
[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.
Consider putting networking equipment in a locked networking room only accessible by authorized personnel like the IT team. Also, administrator accounts for the IT team should be created, and permission should only be given to those accounts to make configuration changes.
CM.L2-3.4.6
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Determine if:
[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.
There should be regular user accounts and administrator accounts. Everyone will have a regular user account with no privileges to modify the CMMC environment. Only the authorized personnel, like the IT team, will have administrator accounts. There should be a super administrator (who can make any change) and limited administrators (with limited privileges based on job role).
CM.L2-3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Determine if:
[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.
Consider having software that blocks blacklisted programs, functions, ports, protocols, and services. Another approach is configuring the computer with the bare minimum of programs, functions, ports, protocols, and services. Put restrictions that will require an administrator to approve any modifications.
CM.L2-3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Determine if:
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
Blacklisting is the easiest, while whitelisting is the more secure solution. Tools like Microsoft Defender XDR can prevent the execution of blacklisted software. You can use Software Restriction Policies in Windows to whitelist or blacklist too.
IA.L2-3.5.10
Store and transmit only cryptographically-protected passwords.
Determine if:
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit
Consider using an identity provider (IdP), like Microsoft Entra ID, to perform the cryptography for you. Use SSO, SAML, or OpenID Connect to use your IdP to log into any third-party and custom applications.
MA.L2-3.7.5
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Determine if:
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
Ensure that MFA is enabled for remote support solutions and remote desktop protocols. For connections that require SSH, consider limiting access from a machine that requires MFA to authenticate.
MP.L2-3.8.7
Control the use of removable media on system components.
Determine if:
[a] the use of removable media on system components is controlled.
The simplest solution is to block removable media. If removable media is necessary, limit mounting the media to an administrator account.
RA.L2-3.11.2
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
Determine if:
[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
[b] vulnerability scans are performed on organizational systems with the defined frequency;
[c] vulnerability scans are performed on applications with the defined frequency;
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
[e] vulnerability scans are performed on applications when new vulnerabilities are identified.
Consider using vulnerability scanning software, like Nessus, and perform vulnerability scans on the operating systems and installed applications. If you are developing CUI software, consider using a vulnerability scanner, such as Snyk, for application libraries, like npm and pip packages.
SC.L2-3.13.5
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Determine if:
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
Create a separate VLAN and subnet for systems that can be accessed from the Internet. Ideally, this network should be separated by a DMZ and/or a firewall and cannot access internal, non-public networks.
SC.L2-3.13.6
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Determine if:
[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.
The firewall rule set should have deny as the last rule. The preceding rules should allow specific traffic.
SC.L2-3.13.15
Protect the authenticity of communications sessions.
Determine if:
[a] the authenticity of communications sessions is protected.
All web traffic should be HTTPS with a valid TLS certificate. HTTP traffic should be blocked. SSL or a similar encryption technology should encrypt VPN traffic.
SI.L2-3.14.4
Update malicious code protection mechanisms when new releases are available.
Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.
Your antivirus software should check for updates at least daily though hourly is best and automatically update.
SI.L2-3.14.6
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Determine if:
[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
Consider using a combination of SIEM, MDR, and XDR to analyze your logs and detect potential threats and attacks.
Before you go
Wishing you much success in your CMMC certification journey.
Sign up for my mailing list at https://miguelacallesmba.medium.com/subscribe