LLMPrompt MA.L2-3.7.4

From CMMC Toolkit Wiki
Jump to navigation Jump to search

I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.

I am assessing one of the assessment objectives within the practice MA.L2-3.7.4 – MEDIA INSPECTION. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.

A. SECURITY REQUIREMENT: Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

B. ASSESSMENT OBJECTIVES: Determine if: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:

C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:

D1. Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records].

D2. Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

D3. Test: [SELECT FROM: Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

E. DISCUSSION: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.

F. FURTHER DISCUSSION: As part of troubleshooting, a vendor may provide a diagnostic application to install on a system. As this is executable code, there is a chance that the file is corrupt or infected with malicious code. Implement procedures to scan any files prior to installation. The same level of scrutiny must be made as with any file a staff member may download. This practice, MA.L2-3.7.4, extends both SI.L1-3.14.2 and SI.L1-3.14.4. SI.L1-3.14.2 and SI.L1-3.14.4 require the implementation and updating of mechanisms to protect systems from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing tools.

G. Example: You have recently been experiencing performance issues on one of your servers. After troubleshooting for much of the morning, the vendor has asked to install a utility that will collect more data from the server. The file is stored on the vendor’s FTP server. The support technician gives you the FTP site so you can anonymously download the utility file. You also ask him for a hash of the utility file. As you download the file to your local computer, you realize it is compressed. You unzip the file and perform a manual antivirus scan, which reports no issues [a]. To verify the utility file has not been altered, you run an application to see that the hash from the vendor matches.

H. Potential Assessment Considerations: Are media containing diagnostic and test programs (e.g., downloaded or copied utilities or tools from manufacturer, third-party, or in-house support teams) checked for malicious code (e.g., using antivirus or antimalware scans) before the media are used on organizational systems [a]?

I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:

I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)

I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)

I3. Physical Review: An on-premise observation of Evidence.

I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.

J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.7.4

Retrieved from "https://cmmcwiki.org/index.php?title=LLMPrompt_MA.L2-3.7.4&oldid=1379"