Practice AC.L3-3.1.2e Details: Difference between revisions
Created page with "'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS == === SECURITY REQUIREMENT === Restrict access to systems and system components to only those information re..." |
(No difference)
|
Revision as of 14:48, 24 March 2025
Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS
SECURITY REQUIREMENT
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
ASSESSMENT OBJECTIVES [NIST SP 800-172A]
Determine if:
- [a] Information resources that are owned, provisioned, or issued by the organization are identified; and
- [b] Access to systems and system components is restricted to only those information resources that are owned, provisioned, or issued by the organization.
POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]
Examine
[SELECT FROM: Access control policy; procedures addressing the use of external systems; list of information resources owned, provisioned, or issued by the organization; security plan; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; system audit records; account management documents; other relevant documents or records].
Interview
[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system and network administrators; organizational personnel responsible for system security].
Test
[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices].
DISCUSSION [NIST SP 800-172]
Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.