What is The Access Control Domain of the D.O.D.’s CMMC?
Previously, we discussed the practices and procedures established for Department of Defense (DoD) contractors, constructed as a way for the DoD to ensure that the critical documents, like Controlled Unclassified Information (CUI) used by contractors and subcontractors are safe in the increasingly cybercrime-filled world. Especially with remote work making network security a challenge, advanced cyber hygiene is necessary for the government documents that hold immense value to a malicious actor.
This new framework, the Cybersecurity Maturity Model Certification (CMMC), has several levels of increased cybersecurity measures that will take a network from basic to advanced protection. Within this framework, 17 domains contain the best practices for cybersecurity, which are a means to provide the best protection to contractors’ networks. The 17 domains are referenced in alphabetical order, making the first domain within the framework Access Control.
First a Little about Access Control
Access Control is, as it sounds, the control the network has on those who can access it. The procedure grants or denies access to specific information through identity, authorization, and authentication verification. More specifically, from the Computer Security Resource Center (CSRC) of the NIST, an Access control system is: “a set of procedures and/or processes, normally automated, which allows access to a controlled area or information to be controlled, in accordance with pre-established policies and rules.”
Image #1: Access Control (AC) is a domain in the D.o.D.’s CMMC. YouAttest provides access reviews to meet the requirements of this domain.Proper access control acts as a door between any user and the information behind it; some users will have the key, and others will not, based on their level of access for their specific job function. For example, a user who is not within the finance department should not have access to the folders and files of the finance department, so access control is the means to bar unauthorized users from that information.
Limiting Access to Crucial Information
With level one of the DoD CMMC four basic practices will help create the systems from which access control can be grown. The practices focus on limiting access to information to authorized users and removing easy access to it. Specifically:
- Limit information system access to authorized users and processes acting on behalf of authorized users or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
As we increase to the next two levels of practices to allow for higher security compliance, we see tighter access control based on the separation of duties and the principle of least privilege, with 18 new practices added to the list. For level three compliance under the CMMC, 22 total practices need to be in place in the access control domain alone.
To help with this process, YouAttest answers the demand of the practices and procedures needed to comply with the CMMC and other security measures. With YouAttest, you can ensure that NIST PR.AC-6 (Principle of Least Privilege) is enforced by enacting triggered privilege escalations and periodic access reviews. These ensure both system (IT owners) and business owners approve the new privileges for the user. With the state-in-time access captures, compared to changes at any other time with another snapshot, YouAttest can help to catch occurrences of privilege creep and enforce the concept of the Principle of Least Privilege.
YouAttest is an automated identity audit tool for your identity and access control resources. Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits. YouAttest will join w/ Robert Emrich, Jr, a CMMC RP, to help review the identity requirements and inform how YouAttest meets the access review requirements in a webinar, scheduled for Sep 22nd.