LLMPrompt AC.L2-3.1.2
I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.
I am assessing one of the assessment objectives within the practice AC.L2-3.1.2 "TRANSACTION & FUNCTION CONTROL." The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide for more context and information about the practice.
A. SECURITY REQUIREMENT: Limit information system access to the types of transactions and functions that authorized users are permitted to execute..
B. ASSESSMENT OBJECTIVES [NIST SP 800-171A]: Determine if: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and [b] system access is limited to the defined types of transactions and functions for authorized users.
C. ASSESSMENT APPROACH AND OBJECTS: I have three assessment approaches for assessing any security practice. They are listed as follows:
C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.
C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.
C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.
D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:
D1. Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
D2. Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].
D3. Test: [SELECT FROM: Mechanisms implementing access control policy].
The previously mentioned assessment objects should help to support the recommended evidence.
E. DISCUSSION: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of- week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).
F. FURTHER DISCUSSION: Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. Limit access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.
G. Example: You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implementing this access control restricts access to FCI information unless specifically authorized.
H. Potential Assessment Considerations: Are access control lists used to limit access to applications and data based on role and/or identity [a]? Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who only performs word-processing cannot access developer tools) [b]?
I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:
I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)
I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)
I3. Physical Review: An on-premise observation of Evidence.
I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.
J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.1.2