Welcome to part 5 of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems. Today we’re going to continue our discussions on the CMMC domains. Like I said, this is part five, hopefully you’ve already looked at our previous four parts on CMMC, there are 17. If you remember, we discussed identification and authentication last time, but today we’re going to turn our focus to maintenance, also known by the acronym “MA”.

So, remember CMMC is about protecting controlled, unclassified information or CUI, which includes lim-dis – limited distribution, or FOUO – for official use only. So, CUI is the term that we focus in, in on CMMC. So, as a refresher CMMC has five maturity levels with five being the most stringent. All contractors and subcontractors will have to meet the minimum level one requirements for CMMC to compete on these contracts. Prime contractors will need to have a minimum of level three and prime contractors are also going to be responsible for their subs to ensure that they have the appropriate CMMC level certification.

Today on maintenance, we will discuss those different practices and processes associated, uh, with that particular domain. MA has level two and level three requirements, but it does not have level one, four or five requirements. So, we’ll discuss these level two and level three requirements, with MA being focused primarily on the maintenance of all aspects of your systems and network CUI security.

So, MA has four level two practices and controls that you need to know about. The first is about performing maintenance on organizational systems. So, someone in your organization needs to be assigned the responsibility of maintaining your IT systems and networks, so please make sure you designate somebody to do that. That person has to include regular, planned maintenance on those systems – hey you may also have unscheduled maintenance or occasional reconfigurations that pop up and at times you may even have to repair damage to some of your systems, IT and networks.

So, we’re going to discuss all of those and as we go through these different practices and controls, hopefully by now you’re going to start to see how these 17 domains leverage off of each other, as you’ll hear me use terms that I’ve previously discussed on the four other domains, like multi-factor authentication, which we will discuss on an upcoming practice and control. So, in addition to performing the maintenance, you have to keep track of the maintenance that you actually perform. You must track this by asset by asset. This will minimize the potential for having your systems drop offline at critical times or be susceptible to a compromise.

The second practice is about providing controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance. So, when you oversee or perform maintenance activities on your company’s machines, networks, IT, etcetera, it’s possible you could inadvertently introduce some software viruses or bugs into your systems. Mistakes happen, it’s happened to me. Anybody who owns their own personal laptops has some time or another inadvertently loaded software onto their, their computer that has created some sort of a virus or bug or was a virus or a bug or some malicious code that has compromised your system and maybe you had to take it back to Best Buy to get it fixed or somewhere else, maybe you’re able to fix it on your own – these things happen. To prevent this, make sure your maintenance tools are protected from unauthorized access and also confirm that your organization manages and supervises everyone assigned to perform maintenance on your assets. Remember, people can be your biggest security risk even if they do something unintentionally.

The third practice is about requiring multi-factor authentication, MFA, you just heard me talk about that previously, to establish non-local maintenance sessions via external network connections and terminate such connections when your non-local maintenance is complete. This has probably occurred more frequently for you during COVID where much of this work is being done remotely, so this is a very timely and pertinent, uh, practice and process here at level two for maintenance. When you conduct remote, aka non-local maintenance, for your organization you also employ remote access processes. So, once you establish a remote connection using your company’s VPN you will need to log on remotely as well and you’ll probably have to use a one-time passcode and maybe a token that’s usually generated by a token device, multi-factor authentication. You should require both of these to prove that you are the authorized user/maintainers. MFA is critical to protecting unauthorized access.

After you enter the password and passcode, you’ll have access to the maintenance from a remote connection. When you finish, remember to shut down that remote connection – don’t leave it open, that is a vulnerability. This will further protect your systems from compromise and/or attacks.

The fourth practice on your level two for maintenance is supervising the maintenance activities of personnel without required access authorization. So, there may be times when you outsource software that’s on your computer and you have a software provider and they have to come on site to update the software on your company’s machines, IT networks, etcetera.  You should give the individual only a temporary log-on and password and you should minimize the amount of time they’re able to use that temporary log-on and password. Typically, no longer than 12 hours, but however long you think, in discussions with this individual – the software provider, on how long it’s going to take to actually perform that maintenance. This gives them access long enough to perform the update when they are on site. You should remain with them; you should supervise their activities to ensure that they perform only the maintenance activities you directed; trust them, but verify their work.

So, let’s move on to level three maintenance. This has two practices. The first level three practice is about ensuring equipment removed for off-site maintenance is sanitized of any CUI. At the end of the day, you don’t want to send any of your IT offsite to an uncontrolled environment that may have CUI on it, that may inadvertently have spillage because somebody has access to it by doing maintenance on your computer. So, occasionally this will happen – your IT may be moved off-site to a non-secure or not trusted location and because you need repairs and maintenance, uh, to be done on it. This could include your hard drive and your disk drives, maybe copying files over for backup, uh, would be critical to do this as well and protect those copied over files from corruption. This IT may have CUI stored or accessible within it, always assume it does. Again trust, but verify. Trust that you don’t have CUI on it, but verify whether you do or don’t.

After troubleshooting with the repair vendor, they may also recommend some of the hardware, like drives, be replaced. Assume the drives may have CUI just like I said previously. So, when you’re done and get ready to move that drive off-site, you should run software that performs a wipe pattern that removes any data or device protection from the entire drive. Once all the drives have been wiped, you need to document the action and then ship the faulty drive to the vendor that you selected to do the maintenance.

The second and last practice at level three is about checking media containing diagnostic and test programs for malicious code before the media are used in organizational systems. So, maybe you’ve been experiencing performance issues on one of your servers – this happens on your own personal laptops all the time where over time all of a sudden you’re noticing like, “wow it sure took a long time for microsoft word to open up, or powerpoint or excel or just to log on to a website”, you start getting malicious code you start getting other types of, of information stored on your computer that starts slowing it down – oftentimes, unnecessary, uh, information on your computer and you may need to have it cleaned up.

So, after troubleshooting, you or the vendor may ask to install a utility that will collect more data from your server and it may want to download the utility remotely in order to perform some of these assessments and troubleshooting actions. On your desktop, you should open your local antivirus and perform a manual scan of that utility file. After you’ve downloaded it, hopefully the scan reports no issues, then you can conduct the troubleshooting exercise and when you’re done you should run offline the application to ensure it matches what the vendor’s outputs are for that particular application.

So, you want to make sure that after you’ve done all this maintenance, that the application still runs as designed per the manufacturer’s requirements. Do this offline so that you don’t inadvertently find a virus embedded with a downloaded file that could corrupt other systems on your network and then after you’ve done it offline you can go back online and verify that the downloads are safe.

So, those are the six practices for MA for levels two and three. Things you should do, as I say every week: fund your program, fund your CMMC program, fund the security program; become familiar with CMMC in general, and NIST SP 800-171 and 800-53, they’re the core of CMMC; please make sure you read up on those and in our next review we will discuss CMMC practices for media protection or MP.

I look forward to seeing you then and thank you for following through on these domain, uh, surveys that we do so that you become experts on all 17 domains of CMMC, and you too will be certified to be able to bid on contracts as a CMMC level 3 certified OSD auditor and deliverer.

Thank you very much and we’ll see you next time.