Source: Barbara Wert, Sr. Regulatory Compliance Specialist
In November 2021, FoxGuard provided an introduction to CMMC 2.0 (Current State of CMMC). One of the notable changes mentioned was the removal of extra controls in CMMC, leaving the revised framework perfectly aligned with FAR 52.204-21 and NIST SP 800-171/172.
Throughout 2022 FoxGuard will be taking a closer look at the FAR controls that make up CMMC 2.0 Level 1 (Foundational), and the NIST SP 800-171 domains in Level 2 (Advanced).
A Brief Look at the FAR
The Federal Acquisition Regulation (FAR) applies to certain purchases made by U.S. executive branch agencies, and provides policies and procedures related to contracts, subcontracts, and payments to contractors. Often a Federal contract or subcontract will include a list of FAR clauses that must be in place if an organization is to supply the requested goods or service for the specified Federal agency.
One such clause that will be in every applicable Federal contract and subcontract is FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (Formally “48 CFR § 52.204-21”). This clause specifies the minimum controls that must be in place to provide for “adequate security” of Federal Contract Information.
Federal Contract Information (FCI) is information that is:
• Not intended for public release.
• Provided or generated for the Government under a contract to deliver a product or service to the Government.
Some examples of FCI include the contract document, progress reports, process documentation, and potentially the proposal information provided by a potential supplier. FCI might be present in formal documents, presentations, or e-mails and other correspondence.
Systems that are owned or operated by contractors and process, store, or transmit FCI are called “Covered Contractor Information Systems” (hereinafter “CCIS”).
Basic Safeguarding Controls
The controls in the FAR 52.204-21 clause primarily pertain to essential functions for minimizing the risk of unauthorized access to information that needs to be protected, such as FCI.
Physical access control methods include locks on doors, badge entry to restricted areas, surveillance cameras, and possibly security guards for critical areas.
cameras, and possibly security guards for critical areas.
|viii.||Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.|
|ix.||Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.|
Network Access (or “Information System Access”) is a bit more complex. This set of controls in FAR 52.204-21 pertain to allowing only a defined set of people to see and/or process information in a particular system.
|i.||Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)|
|ii.||Limit information system access to the types of transactions and functions that authorized users are permitted to execute|
|iii.||Verify and control/limit connections to and use of external information systems.|
|iv.||Control information posted or processed on publicly accessible information systems.|
|v.||Identify information system users, processes acting on behalf of users, or devices|
|vi.||Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.|
To achieve information system access control, an organization needs to define which roles or individuals need the information, and at what level they should be given access (viewing or editing). Once this information is defined for the system, the access control model can be chosen. The three main models of access control include:
• Discretionary Access Control (DAC) – This model assigns access rights based on specified rules, and uses Access Control Lists (ACLs) and Capability Tables, and is managed on an individual user basis.
• Role-based Access Control (RBAC) –RBAC (Also called “Non-Discretionary Access Control”), requires a system administrator to assign access rights, based on organizational roles rather than individual identities. Often organizations utilizing RBAC require a manager to provide authorization to the system administrator before granting a user access.
• Mandatory Access Control (MAC) – Just as it sounds, MAC is a much stricter access control system, and is often utilized by government entities. Multiple levels of security and specific classifications are assigned to systems, groups, and users.
Multiple technologies can be implemented to work in concert for a robust level of access control, starting from the Gateway level, to the Firewall, to SaaS applications, to traditional Active Directory management and GP (group policy). Multifactor authentication (for example: a log-in and a randomly generated code) can be used to enhance security.
Whatever models and methods are chosen, access control is a core component in an organization’s information security architecture. Once the methods are implemented, they must be kept current for continued effectiveness against would-be bad actors.
There are a number of methods that can be used to wipe data from system media (DVDs, removable hard drives, flash drives, memory cards, etc.), if that media is ready to be disposed of or re-purposed, thus ensuring that sensitive information is not inadvertently put into the wrong hands.
|vii.||Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.|
Here is a brief overview of several methods recommended by the National Institute of Standards and Technology (NIST), which defines sanitization as “the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed”.1
• Clear – A level of media sanitization to protect confidentiality of information against strong keyboard attack, wherein retrieval of information could not be achieved through keystrokes. Overwriting is an example of clearing, although many require verification that the protected information is no longer contained in the media.
• Purge – A media sanitization method to protect against laboratory attack, which would involve the use of nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. Degaussing is an acceptable method for purging.
• Destroy – This is the ultimate form of sanitization, and can be done by disintegration, incineration, pulverizing, shredding, or melting.
Protecting the Information System
Access control is vital for ensuring only the correct users have the right to view or edit certain information; and, system controls are required to ensure only the permitted information enters or exits the system. Just as our offices, data centers, and manufacturing facilities have doors, fences and gates, and proper protocol is required to enter or exit, enterprise IT networks and systems have boundaries that must be protected.
|x.||Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.|
|xi.||Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.|
Edge routers, firewalls, web proxy servers and other software systems can be used to protect the system’s boundaries. Subnetworks, or demilitarized zones (DMZs), are physically or logically separated from internal networks, thus providing the segregation needed to ensure the protected information is not accidentally made available to the public or unauthorized users. Layer-3 switches provide virtual local area network (VLAN) design and configuration to further segregate subnetworks.
|xiii.||Provide protection from malicious code at appropriate locations within organizational information systems.|
|xiv.||Update malicious code protection mechanisms when new releases are available.|
Malicious code is code that is intended to cause undesired effects, security breaches, or damage to a system. 2 Examples of malicious code include viruses, worms, and malicious data files. Anti-virus programs and technologies can be used to protect systems from malicious code.
The following actions are recommended:
• Install and maintain antivirus software (servers and end users)
• Train end-users to exercise caution with links and attachments in e-mail
• Block pop-up advertisements
• Exercise caution when allotting permissions with local administrative rights
• Disable external media (flash drives) if possible
• Enforce strong password policies
• Regularly maintain and update antivirus and antimalware software
• Always backup data
• Provide periodic awareness to remind end-users to ask questions if anything suspicious is noted
• Avoid social and public Wi-Fi on organizational systems
• Enable OS firewall/defender
|xv.||Perform periodic scans of the information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.|
Vulnerability scanning tools help to bring to light security weaknesses in network systems. Types of vulnerability assessment scans include network-based scans, host-based scans, wireless scans, application scans, and database scans. Scans can be conducted from within an organization as well as externally, to help organizations identify vulnerabilities that a bad actor could use to gain access to its networks.
A real-time scan is performed each time a file is received, downloaded, or opened. If no risk is detected in the file, users can successfully access the information; however, if a risk is detected, a detailed message is displayed to warn the user of the specific security risk.
|xii.||Identify, report, and correct information and information system flaws in a timely manner.|
Flaws are generally security vulnerabilities in software and operating systems. Vigilant monitoring is required to spot flaws in a timely manner, and immediate action should be taken to contain the endangered information, and correct the flaw in such to prevent recurrance. Security updates and patches are useful tools for remediating vulnerabilities.
If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.
FoxGuard’s services will help you save time and money in your journey towards FAR, NIST, and CMMC compliance by helping to accurately evaluate the type of protected information your organization handles, identify where the information resides, and create a customized and streamlined solution for effective and thorough protection of that information.
Please visit http://foxguardsolutions.com/cmmc/ for more information.
1: NIST SP 800-88 – Guidelines for Media Sanitization