Welcome everybody to part 13 of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on those 17 CMMC domains as we help you in your efforts to be CMMC ready. If you remember we discussed situational awareness last time.
Today we will discuss systems and communications protection or SC for short. Remember CMMC is about protecting controlled, unclassified information or CUI which includes lim-dis (limited distribution) and FOUO (for official use only).
So, where are we in our journey through these 17 CMMC domains? Let’s catch everyone up, we’ve already completed 12 domains. If you missed any, please go back take a look at the vlogs that previously posted to get caught up. All these domains connect and relate to each other, they are complementary. So, it is important as we move on to think in those terms and get that overall understanding of these domains in that context.
So, as a refresher CMMC, Cyber Security Maturity Model Certification, has five levels with five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need a minimum of level three.
SC has two level one two level two and fifteen level three practices that we will discuss today. The SC domain contains 27 overall practices making it the largest domain in the CMMC framework. Today we will address only the first three CMMC levels encompassing 19 practices and we will focus on two capabilities: defining security requirements for systems and communications and controlling communications at system boundaries.
Let’s look at the two level one requirements. The first practice requires you to monitor control and protect organizational communications at the external boundaries and key internal boundaries of information systems. You should set up the network for your company with the goal of keeping the company’s information and resources safe. You will need a router, a hardware device that routes data from a local area network to another network connection that has a built-in firewall. Make sure you configure it to limit access to trustworthy sites and guess what some of your co-workers will probably complain that they can’t get access to certain websites they previously have visited. Ensure them that you understand that, but that some of those websites are blocked because they are known for spreading malware or other malicious code that could damage your network.
The second level one practice requires you to implement sub networks for publicly accessible system components that are physically or logically separated from internal networks. So you may need a public website. Use a router and a firewall to create a DMC to do this host the server separately from the company’s internal network and make sure the network has the correct security firewall rules. Public access can then be provided safely while keeping your company’s internal network protected.
Okay let’s move on to level two practices. The first practice requires you to prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. During COVID you may have found that you need remote collaboration using cameras and microphones connected to your computers. You want to prevent the misuse of these devices, disable the ability to turn on cameras or microphones remotely on all devices, use a tool to alert users when their cameras or microphones are turned on. Although remote activation is blocked, this enables them to see if the devices were actively and remotely turned on. By doing this you reduce the likelihood of someone being able to turn on these devices and listen or view to what your employees are working on. Of course there’s the old-fashioned way of just taping over the camera, there are also things you can buy that just slide over your camera as well to keep it secure without using any of the computer technology at all. You may have noticed this same technology creeping into your cell phones. Apple does that, I have an apple phone and they now have indicators to let you know that your microphone and or camera are activated, a great device, so you know if you turned it on or somehow it got turned on by somebody else.
The last level two practice requires you to use encrypted sessions for the management of network devices. You may have to access devices over the network instead of at the device’s physical location. When you establish a connection to these devices, use a secure shell otherwise known as SSH connection to protect your network.
Okay so that’s the level one and level two practices. Let’s move on to level three. Level three has 15 practices so buckle up this will take us a little while to go through but well worth it. The first level 3 practice entails employing FIPS validated cryptography when used to protect the confidentiality of CUI. So deploy encryption on all devices that contain CUI for your organization, ensure that the encryption you use on the devices is federal information processing standards (FIPS) validated cryptography. If you need to carry a large volume of CUI off-site and occasionally you will have to do that you should use whole disk encryption software that has been verified via the NIST website using a FIPS 140-3 validated encryption module. Make sure you instruct users how to use the software, always a good idea. Once the encryption software is active, you can copy the CUI data onto the drive to transport the data.
The second level three practice requires employing architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems, develop strategies to protect your data and harden your organization’s infrastructure. Make sure you have documented security engineering programs to follow and if you don’t develop one document any software or hardware changes to ensure the principles are followed. Review any changes at critical points in the workflow to ensure the required requirements are met and then update the policies covering the use of any upgraded system so user behavior stays aligned with the principles. I can’t tell you how many times I’ve worked with companies who make software hardware changes with no documentation, no tracking of patches, etc. and they have lost configuration management. So please make sure you’re sensitive to this particular practice.
The third level three practice entails separating user functionality from system management functionality. So prevent access to information system management functions for your organizations that’s really important. System management functionality should also be separated from user functionality. Make sure you provide physical protection by segregating certain functions to separate servers and connect those servers to their own subnet network limit access to the separate servers so only approved system administrators can access them. You should use special admin accounts with a different username from their normal accounts to log into those servers.
The fourth level three practice requires prevention of unauthorized and unintended information transfer via shared system resources. Preventing unauthorized information transfers mitigates the risk of CUI information including encrypted information from being available to any users that obtain access to shared system resources. Those shared resources could be registers, made memories, hard disks, etc. to prevent unauthorized and unintended information transfer via shared resources. You need to ensure the operating system is configured correctly. Make sure your computer configuration policies match those documented in your hardening procedures.
The fifth level three practice is about denying network communications traffic by default and thus allowing network communications traffic by exception only i.e example deny all but permit by exception. So install firewalls between your environment and other networks within the company with firewall rules that deny all traffic then evaluate each service and application that runs in the new environment and only allow the required ports and network pass to be opened. Test the functionality of the required services and applications to make sure they work and then review the firewalls on a regular basis to make sure there were no unauthorized changes made to the rules.
The sixth level three practice requires preventing remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks. This is known as split tunneling. Configure your network to prohibit remote users from using split tunneling, review your configurations on all of your remote user laptops. If remote users are able to access files, email databases or other services through your organization’s VPN connection and they are able to access resources on the internet through their connection, then change the harding procedures for the company’s laptops. Test those laptops that have had the new hardening procedures applied and verify that all traffic from the laptop is now routed through the VPN connection.
The seventh level three practice requires implementing cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Employ encryption on all devices that contain CUI for your organization. Pretty straightforward requirement. Install a secure FTP server to allow CUI to be transmitted in a compliant manner. Verify that the server is using a fifth validated encryption module by checking the NIST cryptographic module validation program website. Make sure you turn on the FIPS compliance setting for the server during configuration in order to use only FIPS validated cryptography.
The eighth level three practice addresses terminating network connections associated with communication sessions at the end of the sessions or after a defined period of inactivity. So institute policies that require network connection be terminated after being idle for too long. 60 minutes is a good benchmark. In some cases you may have remote access software with idle timeout that can be set in seconds. So edit the configuration file and set the timeout to the desired seconds and restore, restart the remote access software then test the software and verify that after the time limit of being idle your connection is terminated.
The ninth level three practice requires establishing and managing cryptographic keys for cryptography employed in organizational systems. You should designate an IT administrator at your organization, hopefully you’ve done that already, and that person is responsible for providing key management. Create a public private key pair to exchange CUI. Require all of your systems administrators to read the company’s policy on key management before you allow them to install the private key on their machines, then provide the public key to other parties who will be sending you CUI and test the PKI to ensure the encryption is working.
The 10th level 3 practice is about controlling and monitoring the use of mobile code. Designate a person responsible for enforcing and monitoring the use of mobile code, hopefully you’ve done that as well. Configure the baseline configuration of machines on your network to disable and deny the execution of mobile code. Implement an exception process to reactivate mobile code execution only for those users with a legitimate business or corporate need.
The 11th practice involves controlling and monitoring the use of voice over internet protocol also known as VOIP technologies. Establish an acceptable use policy for using the VOIP technology. Verify that your VOIP solution is set up and configured correctly with all required security settings in compliance with your policies and security standards, then verify that all soft phone software installed for users is kept up to date and patched to address any security issues.
The 12th level 3 practice is about protecting the authenticity of communications sessions. First you should establish a two-factor user authentication mechanism for your servers and ensure they are set up and configured correctly. Maintain your digital certificate that you purchased, then ensure that the transport layer security otherwise known as TLS configuration settings on the web servers, VPN solution and other components that use TLS are correct. Use secure settings that address risks against attacks on the encrypted systems.
The 13th level 3 practice is about protecting the confidentiality of CUI at rest. So you should establish a policy stating CUI must be protected at rest and enforce that policy. That should be a given and hopefully you’ve done that as well. Use products such as full disk encryption that meets the FIPS encryption requirement. Incorporate the encryption on all computers at your company to protect CUI at rest. You may also have some devices that do not support encryption. I personally recommend you create a policy requiring those devices to be signed out when needed, stay in the possession of the signer when checked out and signed back in and locked up in a secure closet when the user is done with the device, and then audit the sign out sheet to make sure that all of your resources are accounted for, tracked and have been properly signed in and signed out.
The 14th practice is about implementing domain name system (DNS) filtering services. Implement web browser protections, hopefully you should have done that already. Just like some of the other things I’ve just referred to you may use a commercial DNS filtering application or service and configure your enterprise environment to use that service. The configuration blocks users from being able to access known malicious websites. The application provider is responsible for ensuring it has the latest list of known malicious websites. Update this filtering mechanism for your organization as necessary to provide additional DNS blocking or to allow previously blocked websites to be accessed.
The 15th and last practice here at this level is about implementing a policy restricting the publication of CUI on externally owned publicly accessible websites. Example: forums, LinkedIn, Facebook, Twitter. So ensure you are protecting your information correctly. Start by informing everyone working with CUI that they are prohibited from posting CUI on public websites. That can be a challenge because not all CUI is properly marked or known to be CUI so it may be a challenge and you may have to work with a customer or the originator of that particular document to see if it’s truly a CUI. Then once you’ve done that make sure you include any job or industry related forms or discussions that may reference your CUI as being prohibited for access or posting. Brief this policy to employees who work with the CUI and include a reminder in your company’s security refresher training that you perform frequently and I recommend monthly, some people only do it annually, but I would make sure it’s part of your annual security refresher training.
So those are the 19 practices and requirements for SC. Hopefully you’re already applying systems and communications protections and if you are, you’re already closing those CMMC compliance gaps that are hanging out there and you’re getting prepared to be CMMC certified at either level one or level two or level three as we have discussed those three levels here over the previous, now previous 13 vlogs. Things you should already be doing: fund your CMMC program, don’t kick the can down the road CMMC is upon us if you aren’t familiar with the DFRS clause, it went back into effect in November. Elements of CMMC are already being implemented and if you haven’t done something to become compliant with CMMC, you’re behind the power curve. Become familiar with CMMC in general and NIST SP 800-171 and 800-53.
In our next review, we will discuss CMMC practices for system and information integrity or SI. I look forward to seeing you then. This is Bob Hanley from Sabre Systems and thank you for listening to my vlog today uh the 13th in our series. We don’t have too many left to go so hang in there. Four more and we’ll be done and hopefully you will be well on your way to becoming CMMC compliant.
Thank you and have a great day.