Practice AC.L3-3.1.2e Details - Revision history

David at 01:52, 25 March 2025

2025-03-25T01:52:49Z

@@ Line 23: / Line 23: @@
 [SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices].
 === DISCUSSION [NIST SP 800-172] ===
 Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.
 === FURTHER DISCUSSION ===

David at 18:23, 24 March 2025

2025-03-24T18:23:33Z

← Older revision		Revision as of 18:23, 24 March 2025
Line 24:		Line 24:
	=== DISCUSSION [NIST SP 800-172] ===		=== DISCUSSION [NIST SP 800-172] ===
	Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.		Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.
			'''AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS '''

			Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

			'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''

			Determine if:
			[a] Information resources that are owned, provisioned, or issued by the organization are identified; and
			[b] Access to systems and system components is restricted to only those information resources that are owned, provisioned, or issued by the organization.

			'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''

			'''Examine'''

			[SELECT FROM: Access control policy; procedures addressing the use of external systems; list of information resources owned, provisioned, or issued by the organization; security plan; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; system audit records; account management documents; other relevant documents or records].

			'''Interview'''

			[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system and network administrators; organizational personnel responsible for system security].

			'''Test'''

			[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices].

			'''DISCUSSION [NIST SP 800-172] '''

			Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.
			=== FURTHER DISCUSSION ===
			Implementing this requirement ensures that an organization has control over the systems that can connect to organizational assets. This control will allow more effective and efficient application of security policy. The terms “has control over” provides policy for systems that are not owned outright by the organization. Control includes policies, regulations or standards that are enforced on the resource accessing contractor systems. Control may also be exercised through contracts or agreements with the external party. Provisioned includes setting configuration, whether through direct technical means or by policy or agreement. For purposes of this requirement, GFE can be considered provisioned by the OSA.

			'''Example 1'''

			You are the chief network architect for your company. Company policy states that all company-owned assets must be separated from all non-company-owned (i.e., guest or employee) assets. You decide the best way forward is to modify the corporate wired and wireless networks to only allow company-owned devices to connect [b]. All other devices are connected to a second (untrusted) network that non-corporate devices may use to access the internet. The two environments are physically separated and are not allowed to be connected. You also decide to limit the virtual private network (VPN) services of the company to devices owned by the corporation by installing certificate keys and have the VPN validate the configuration of connecting devices before they are allowed in [b].

			'''Example 2'''

			You are a small company that uses an External Service Provider (ESP) to provide your audit logging. Access between the ESP and the organization is controlled by the agreement between the organization and the ESP. That agreement will include the policies, standards, and configuration for the required access. Technical controls should be documented and in place which limit the ESP’s access to the minimum required to perform the logging service.

			'''Potential Assessment Considerations'''

			* Can the organization demonstrate a non-company-owned device failing to access information resources owned by the company [b]?
			* How is this requirement met for organizational devices that are specialized assets (GFE, restricted information systems) [a,b]?
			* Does the company allow employees to charge personal cell phones on organizational systems [b]?
			=== KEY REFERENCES ===
			* NIST SP 800-172 3.1.2e

David: Created page with "'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS == === SECURITY REQUIREMENT === Restrict access to systems and system components to only those information re..."

2025-03-24T14:48:54Z

Created page with "'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS == === SECURITY REQUIREMENT === Restrict access to systems and system components to only those information re..."

New page

'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS ==
=== SECURITY REQUIREMENT ===
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
=== ASSESSMENT OBJECTIVES [NIST SP 800-172A] ===
Determine if:
: [a] Information resources that are owned, provisioned, or issued by the organization are identified; and
: [b] Access to systems and system components is restricted to only those information resources that are owned, provisioned, or issued by the organization.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] ===
'''Examine'''

[SELECT FROM: Access control policy; procedures addressing the use of external systems; list of information resources owned, provisioned, or issued by the organization; security plan; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; system audit records; account management documents; other relevant documents or records].

'''Interview'''

[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system and network administrators; organizational personnel responsible for system security].

'''Test'''

[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices].
=== DISCUSSION [NIST SP 800-172] ===
Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.