Independent Verification and Validation | SO YOU WANT A CMMC CERTIFICATION (PART FOUR)

30 Mar SO YOU WANT A CMMC CERTIFICATION (PART FOUR)

Posted at 22:41h in Blog by Eva freund

PART FOUR:

The IV&V Group® is preparing to meet the requirements imposed by the CMMC. We are a sub-contractor for a number of federal government contracts. As we make our own way through the CMMC requirements we hope that our understandings, as illustrated below, will help others with their understanding.

There are 17 Domains* and each one has multiple capabilities. Rather than list all of them we have selected one domain and shown how the specific practices required to satisfy that capability vary depending on the desired level of maturity.

Capability – Control internal system access

Level 1:

Limit information system access to the types of transactions and functions that authorized users are permitted to execute

Level 2:

Level 1 practice (see above, Level 1:)
Employ the principle of least privilege, including for specific security functions and privileged accounts
Use non-privileged accounts or roles when accessing non security functions
Limit unsuccessful logon attempts
Use session lock with pattern hiding displays to prevent access and viewing of data after a period of inactivity
Authorize wireless access prior to allowing such connections

Level 3:

Level 1 practice (see above, Level 1:)
Level 2 practices (see above, Level 2:)
Separate the duties of individuals to reduce the risk of malevolent activity without collusion
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
Terminate (automatically) user sessions after a defined condition
Protect wireless access using authentication and encryption
Control connection of mobile devices

Level 4:

Level 1 practice (see above, Level 1:)
Level 2 practices (see above, Level 2:)
Level 3 practices (see above, Level 3:)
Control information flows between security domains on connected systems
Periodically review and update Controlled Unclassified Information (CUI) program access permissions

Level 5:

Level 1 practice (see above, Level 1:)
Level 2 practices (see above, Level 2:)
Level 3 practices (see above, Level 3:)
Level 4 practices (see above, Level 4:)
Identify and mitigate risk associated with unidentified wireless access points connected to the network

*The 17 capability domains are: Access Control; Asset Management; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Recovery; Risk Management; Security Assessment; Situational Awareness; System and Communications Protection; and System and Information Integrity.