Practice IA.L3-3.5.3e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

IA.L3-3.5.3E – BLOCK UNTRUSTED ASSETS

SECURITY REQUIREMENT

Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] System components that are known, authenticated, in a properly configured state, or in a trust profile are identified;
[b] Automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified; and
[c] Automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Configuration management policy; identification and authentication policy; system and information integrity policy; procedures addressing system component inventory; procedures addressing device identification and authentication; procedures addressing device configuration management; procedures addressing system monitoring tools and techniques; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; system inventory records; configuration management records; system monitoring records; alerts/notifications of unauthorized components within the system; change control records; system audit records; system monitoring tools and techniques documentation; documented authorization/approval of network services; notifications or alerts of unauthorized network services; system monitoring logs or records; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for managing the mechanisms implementing unauthorized system component detection; organizational personnel responsible for device identification and authentication; organizational personnel responsible for information security; organizational personnel responsible for installing, configuring, and/or maintaining the system; system/network administrators; organizational personnel responsible for monitoring the system; system developers].

Test

[SELECT FROM: Mechanisms implementing the detection of unauthorized system components; mechanisms supporting and/or implementing a device identification and authentication capability; mechanisms for providing alerts; mechanisms supporting and/or implementing configuration management; cryptographic mechanisms supporting device attestation; mechanisms supporting and/or implementing a system monitoring capability; mechanisms for auditing network services].

DISCUSSION [NIST SP 800-172]

Identification and authentication of system components and component configurations can be determined, for example, via a cryptographic hash of the component. This is also known as device attestation and known operating state or trust profile. A trust profile based on factors such as the user, authentication method, device type, and physical location is used to make dynamic decisions on authorizations to data of varying types. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt the identification and authentication of other devices.

[NIST IR 8011-1] provides guidance on using automation support to assess system configurations.

FURTHER DISCUSSION

This requirement can be achieved in several ways, such as blocking based on posture assessments, conditional access, or trust profiles. A posture assessment can be used to assess a given system’s posture to validate that it meets the standards set by the organization before allowing it to connect. Conditional access is the set of policies and configurations that control devices receiving access to services and data sources. Conditional access helps an organization build rules that manage security controls, perform blocking, and restrict components. A trust profile is a set of factors that are checked to inform a device that a system can be trusted.

Example 1

In a Windows environment, you authorize devices to connect to systems by defining configuration rules in one or more Group Policy Objects (GPO) that can be automatically applied to all relevant devices in a domain [a]. This provides you with a mechanism to apply rules for which devices are authorized to connect to any given system and prevent devices that are not within the defined list from connecting [b,c]. For instance, universal serial bus (USB) device rules for authorization can be defined by using a USB device’s serial number, model number, and manufacturer information. This information can be used to build a trust profile for a device and authorize it for use by a given system. You use security policies to prevent unauthorized components from connecting to systems [c].

Example 2

You have been assigned to build trust profiles for all devices allowed to connect to your organization’s systems. You want to test the capability starting with printers. You talk to your purchasing department, and they tell you that policy states every printer must be from a specific manufacturer; they only purchase four different models. They also collect all serial numbers from purchased printers. You gather this information and build trust profiles for each device [a,b]. Because your organization shares printers, you push the trust profiles out to organizational systems. Now, the systems are not allowed to connect to a network printer unless they are within the trust profiles you have provided [b,c].

Example 3

Your organization has implemented a network access control solution (NAC) to help ensure that only properly configured computers are allowed to connect to the corporate network [a,b]. The solution first checks for the presence of a certificate to indicate that the device is company-owned. It next reviews the patch state of the computer and forces the installation of any patches that are required by the organization. Finally, it reviews the computer’s configuration to ensure that the firewall is active and that the appropriate security policies have been applied. Once the computer has passed all of these requirements, it is allowed access to network resources and defined as a trusted asset for the length of its session [a].

Devices that do not meet all of the requirements are automatically blocked from connecting to the network [c].

Potential Assessment Considerations

  • If the organization is using a manual method, is the method outlined in detail so any user will be able to follow it without making an error [b,c]?
  • If the organization is using an automated method, can the organization explain how the technology performs the task? Can they explain the steps needed to implement [a,b,c]?
  • Can the organization provide evidence showing they have trust profiles for specific devices [a,b,c]?
  • Can the organization explain how their system components authenticate to a system if they are not using trust profiles [b,c]?

KEY REFERENCES

  • NIST SP 800-172 3.5.3e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_IA.L3-3.5.3e_Details&oldid=1221"