LLMPrompt MA.L2-3.7.6

From CMMC Toolkit Wiki
Jump to navigation Jump to search

I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.

I am assessing one of the assessment objectives within the practice MA.L2-3.7.6 – MAINTENANCE PERSONNEL. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.

A. SECURITY REQUIREMENT: Supervise the maintenance activities of maintenance personnel without required access authorization.

B. ASSESSMENT OBJECTIVES: Determine if: [a] maintenance personnel without required access authorization are supervised during maintenance activities.

C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:

C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:

D1. Examine: [SELECT FROM: System maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; system security plan; other relevant documents or records].

D2. Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

D3. Test: [SELECT FROM: Organizational processes for authorizing and managing maintenance personnel; mechanisms supporting or implementing authorization of maintenance personnel].

E. DISCUSSION: This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while PE.L1-3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods.

F. FURTHER DISCUSSION: Individuals without proper permissions must be supervised while conducting maintenance on organizational machines. Consider creating temporary accounts with short-term expiration periods rather than regular user accounts. Additionally, limit the permissions and access these accounts have to the most restrictive settings possible.

G. Example: One of your software providers has to come on-site to update the software on your company’s computers. You give the individual a temporary logon and password that expires in 12 hours and is limited to accessing only the computers necessary to complete the work [a]. This gives the technician access long enough to perform the update. You monitor the individual’s physical and network activity while the maintenance is taking place [a] and revoke access when the job is done.

H. Potential Assessment Considerations: Are there processes for escorting and supervising maintenance personnel without required access authorization (e.g., vendor support personnel, short-term maintenance contractors) during system maintenance [a]?

I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:

I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)

I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)

I3. Physical Review: An on-premise observation of Evidence.

I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.

J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.7.6

Retrieved from "https://cmmcwiki.org/index.php?title=LLMPrompt_MA.L2-3.7.6&oldid=1396"