CMMC - Access Control Level 1

To begin this post, lets review the requirements to obtain Level 1 in Access Control. The reference for this will be the CMMC Release document, available both on the DOD’s Acquisition website at https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf, as well as locally on my site here.

Requirements

• AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other informtion systems).
• AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• AC.1.003 – Verify and control/limit connections to and use of external information systems
• AC.1.004 – Control information posted or processed on publicly accessible information systems.

Uhm… Can you say that in English, Please?

• AC.1.001 – Accessing electronic devices of any type (Mac/Windows/Linux computers, Cell phones, Switches, Routers, Firewalls, etc…) must be limited to only those who are authorized to use it, whether they are human users, automated processes such as Simple Network Management Protocol (SNMP) traffic, or other computing devices.
• AC.1.002 – When an authorized user logs into an electronic device, they can only conduct actions that they are allowed to.
• AC.1.003 – When accessing electronic devices outside of your network, they must be controlled, limited, and verified per company policies.
• AC.1.004 – If information is posted to or processed by electronic devices outside of your network, and those devices are available to the general public, that information must be controlled and ensured they are acceptable for public release.

Compliance Techniques

AC.1.001

AC.1.001 can almost entirely be accomplished by using Microsoft’s Active Directory. Active Directory runs using the Lightweight Directory Access Protocol (LDAP) along with Kerberos to centralize identification and authentication management (IDaM) into one server. Mac, Windows, and Linux devices can join the domain created by the active directory server with relative ease (well, Linux can have some troubles joining). Networking devices, like Routers, Switches, and Firewalls can be connected using Remote Access Dial-in User Service (RADIUS), which is part of the Network Policy Server (NPS) found within Windows Server. Cell phones cannot have centralized authentication, but can be connected to a Mobile Device Management (MDM) server to provide some of the same features. Furthermore, accounts for processes and devices can be maintained within Active Directory as well, further helping ensure compliance with this requirement.

Resources

• Installing and Configuring Active Directory (Windows Server 2016)
• Creating User Accounts in Active Directory
• Join Windows 10 to Active Directory
• Join macOS to Active Directory
• Join Linux operating systems to Active Directory
• Install and configure RADIUS in Windows Server 2016

AC.1.002

Active directory can assist with this control as well, in terms of setting up user roles. Role-based Access Controls (RBAC) is a proven method of limiting what a user can do when they log into a system. There are plenty of great resources regarding RBAC, so I won’t go into depth here about what it is and how it works. With Active Directory, you’ll assign users to groups that are designed around the concept of roles. In other words, System Administrator, Network Engineer, Accounting, Developer, and so on. Throughout the network, at Server Management Bus (SMB) shares, applications, routers and switches (through the use of the Network Policy Server discussed under AC.1.001), you’ll design the permissions each role will have.

Resources
Role Based Access Control – auth0

AC.1.003

Unfortunately, Active Directory cannot fulfill this control. The first part of this control is limiting access to outside networks. This can be accomplished using firewalls, proxies, and other similar network security appliances. Properly configured firewalls will limit both incoming and outgoing connections based on company-approved connections. While some will be generic policies, such as allowing Port 80 and 443 (for HTTP and HTTPS, respectively) out of the network, and likely blocking ports like 20, 21, and 23 (FTP – Data, FTP – Control, Telnet), some will need to be far more specific to how the company runs. Furthermore, a proxy will allow the organization to limit access to specific websites, either through a whitelist or blacklist methodology.

Second, the organization needs to have policies on how devices are managed. For example, the use of personal devices to work on Federal Contract Information (FCI) should be restricted. Only company-provided devices should be used for this type of work.

AC.1.004

This control primarily refers to data that will be posted to publicly available locations. Think your company website, company LinkedIn, company Facebook. Anything that can be accessed by anyone in the world, without any form of authorization or access control. This can be accomplished through two means.
First, a Data Loss Prevention (DLP) system can help prevent the unintentional publication of FCI and other sensitive information. There is a large variety of DLP devices out there, so I’ll list a few in the resources section. However, don’t expect a DLP to stop every attempt to publicly post this kind of information. There are always ways around your security applicances, and someone determined to do so will find a way.
The second part of your protection should be backing policies that identify

• Who is authorized to publish information to your public-facing company pages. This person should be identified by role, not by name (to allow for the changing of personnel).
• A review process that includes not only the person in that role, but senior management, and a legal review. Multiple eyes can help catch the inadvertent posting of FCI and other sensitive information

Resources

• Symantec Data Loss Prevention
• McAfee Data Loss Prevention
• Comodo MyDLP

Conclusion

The first level of access control includes four controls, which are foundational security controls for this aspect of security. While I referred some possible tools, this is by no means a comprehensive listing of tools. Feel free to look around, but before choosing a tool, be sure to have someone knowledgeable on security review your choice. The choice of a tool that does not meet these controls will cause your inspection to fail, and a requirement to ensure these controls are properly applied. If you want to recommend any additional tools that meet these controls, feel free to reach out and I’ll add them to my CMMC tools page that I keep in my public Notion site.