30 Mar SO YOU WANT A CMMC CERTIFICATION (PART FOUR)
PART FOUR:
The IV&V Group® is preparing to meet the requirements imposed by the CMMC. We are a sub-contractor for a number of federal government contracts. As we make our own way through the CMMC requirements we hope that our understandings, as illustrated below, will help others with their understanding.
There are 17 Domains* and each one has multiple capabilities. Rather than list all of them we have selected one domain and shown how the specific practices required to satisfy that capability vary depending on the desired level of maturity.
Capability – Control internal system access
Level 1:
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute
Level 2:
- Level 1 practice (see above, Level 1:)
- Employ the principle of least privilege, including for specific security functions and privileged accounts
- Use non-privileged accounts or roles when accessing non security functions
- Limit unsuccessful logon attempts
- Use session lock with pattern hiding displays to prevent access and viewing of data after a period of inactivity
- Authorize wireless access prior to allowing such connections
Level 3:
- Level 1 practice (see above, Level 1:)
- Level 2 practices (see above, Level 2:)
- Separate the duties of individuals to reduce the risk of malevolent activity without collusion
- Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
- Terminate (automatically) user sessions after a defined condition
- Protect wireless access using authentication and encryption
- Control connection of mobile devices
Level 4:
- Level 1 practice (see above, Level 1:)
- Level 2 practices (see above, Level 2:)
- Level 3 practices (see above, Level 3:)
- Control information flows between security domains on connected systems
- Periodically review and update Controlled Unclassified Information (CUI) program access permissions
Level 5:
- Level 1 practice (see above, Level 1:)
- Level 2 practices (see above, Level 2:)
- Level 3 practices (see above, Level 3:)
- Level 4 practices (see above, Level 4:)
- Identify and mitigate risk associated with unidentified wireless access points connected to the network
*The 17 capability domains are: Access Control; Asset Management; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Recovery; Risk Management; Security Assessment; Situational Awareness; System and Communications Protection; and System and Information Integrity.