Practice CM.L3-3.4.2e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

CM.L3-3.4.2E – AUTOMATED DETECTION & REMEDIATION

SECURITY REQUIREMENT

Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the components or place the components in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] Automated mechanisms to detect misconfigured or unauthorized system components are identified;
[b] Automated mechanisms are employed to detect misconfigured or unauthorized system components;
[c] Misconfigured or unauthorized system components are detected; and
[d] After detection, system components are removed or placed in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; authoritative source or repository; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system procedures addressing system configuration change control; configuration settings and associated documentation; change control records; change control audit and review reports; agenda/minutes from configuration change control oversight meetings; alerts/notifications of unauthorized baseline configuration changes; security plan; system audit records; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for configuration management; organizational personnel responsible for information security; organizational personnel responsible for configuration change control; system developers; system/network administrators; members of a change control board or similar roles].

Test

[SELECT FROM: Automated mechanisms supporting configuration control of the baseline configuration; automated mechanisms that implement security responses to changes to the baseline configurations; automated mechanisms that implement configuration change control; automated mechanisms that detect misconfigured or unauthorized system components].

DISCUSSION [NIST SP 800-172]

System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source.

[NIST IR 8011-1] provides guidance on using automation support to assess system configurations.

FURTHER DISCUSSION

For this requirement, the organization is required to implement automated tools to help identify misconfigured components. Once under an attacker’s control, the system may be modified in some manner and the automated tool should detect this. Or, if a user performs a manual configuration adjustment, the system will be viewed as misconfigured, and that change should be detected. Another common example is if a component has been offline and not updated, the tool should detect the incorrect configuration. If any of these scenarios occurs, the automated configuration management system (ACMS) will notice a change and can take the system offline, quarantine the system, or send an alert so the component(s) can be manually removed. Quarantining a misconfigured component does not require it to be removed from the network. Quarantining only requires that a temporary limitation be put in place eliminating the component’s ability to process, store, or transmit CUI until it is properly configured. If a component has the potential of disrupting business operations then the OSC should take extra care to ensure configuration updates are properly tested and that components are properly configured and tested before being added to the network. Once one of these actions is accomplished, a system technician may need to manually inspect the system or rebuild it using the baseline configuration. Another option is for an ACMS to make adjustments while the system is running rather than performing an entire rebuild. These adjustments can include replacing configuration files, executable files, scripts, or library files on the fly.

Example 1

As the system administrator, you implement company policy stating that every system connecting to the company network via VPN will be checked for specific configuration settings and software versioning before it is allowed to connect to the network, after it passes authentication [a,b]. If any deviations from the authoritative baseline are identified, the system is placed in a VPN quarantine zone (remediation network) using a virtual local area network (VLAN) [b,c,d]. This VLAN is set up for system analysis, configuration changes, and rebuilding after forensic information is pulled from the system. Once the system updates are complete, the system will be removed from the quarantine zone and placed on the network through the VPN connection.

Example 2

As the system administrator, you have chosen to use a network access control (NAC) solution to validate system configurations before they are allowed to connect to the corporate network [a]. When a system plugs into or connects to a local network port or the VPN, the NAC solution checks the hash of installed system software [b,c]. If the system does not pass the configuration check, it is put in quarantine until an administrator can examine it or the ACMS updates the system to pass the system checks [d].

Potential Assessment Considerations

  • Can the organization explain the automated process that identifies, quarantines, and remediates a system when a misconfiguration or unauthorized system component is identified [a,b,c,d]?
  • Does the organization have a patching and rebuild process for all assets that may be taken offline [d]?

KEY REFERENCES

  • NIST SP 800-172 3.4.2e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_CM.L3-3.4.2e_Details&oldid=1201"