CMMC Practice Number: AC.L1-3.1.20
CMMC Level: 1 CMMC Domain: Access Control (AC)
Practice Summary:
Verify and control/limit connections to and use of external information systems.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
Practice Clarification (DOD, CMU)
Control and manage connections between your company network and outside networks. Outside networks could include the public internet, one of your own company’s networks that falls outside of your assessment boundary (e.g., an isolated lab), or a network that does not belong to your company [c,e]. Tools to accomplish include firewalls and connection allow/deny lists. External systems not controlled by your company could be running applications that are prohibited or blocked. Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones [b,d,f]. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources [e].
Example
You and your coworkers are working on a big proposal and will put in extra hours over the weekend to get it done. Part of the proposal includes FCI. Because FCI should not be shared publicly, you remind your coworkers of the policy requirement to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend [b,f]. You also remind everyone to work from the cloud environment that is approved for processing and storing FCI rather than the other collaborative tools that may be used for other projects [b,f].
Potential Assessment Considerations
• Are all connections to external systems outside of the boundary identified [a]?
• Are external systems (e.g., systems managed by contractors, partners, or vendors; personal devices) that are permitted to connect to or make use of organizational systems identified [b]?
• Are methods employed to ensure that only authorized connections are being made to external systems (e.g., requiring log-ins or certificates, access from a specific IP address, or access via VPN) [c,e]?
• Are methods employed to confirm that only authorized external systems are connecting (e.g., if employees are receiving company email on personal cell phones, is the contractor checking to verify that only known/expected devices are connecting) [d]?
• Is the use of external systems limited, including by policy or physical control [f]?
Where To Look
- Access control policy
- procedures addressing the use of external systems
- terms and conditions for external systems
- system security plan
- list of applications accessible from external systems
- system configuration settings and associated documentation
- system connection or processing agreements
- account management documents
- other relevant documents or records
Who To Talk To
- Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems
- system or network administrators
- personnel with information security responsibilities
Perform Test On
- Mechanisms implementing terms and conditions on use of external systems
Additional Information
The solutions may include firewalls, proxies, encryption, and other security technologies. Information flow control regulates where information can travel within an information system and between information systems (as opposed to who is allowed to access the information) without explicit regard to subsequent accesses to that information.
Examples of flow control restrictions include:
- keeping export-controlled information from being transmitted in the clear to the internet,
- blocking outside traffic that claims to be from within the organization,
- restricting web requests to the internet that are not from the internal web proxy server, and
- limiting information transfers between organizations based on data structures and content.
Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. The company may consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example:
- prohibiting information transfers between interconnected systems (i.e., allowing access only),
- employing hardware mechanisms to enforce one-way information flows, and
- implementing trustworthy regrading mechanisms to reassign security attributes and security label.
Companies commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Companies may also consider the trustworthiness of filtering/ inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately- owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of Federally Contracted Information, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.
Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.
Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of Federally Contracted Information across an organization, the organization may have systems that process Federally Contracted Information and others that do not. And among the systems that process Federally Contracted Information there are likely access restrictions for Federally Contracted Information that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.
CMMC References:
REFERENCES
· FAR Clause 52.204-21 b.1.iii
· NIST SP 800-171 Rev 1 3.1.20
· CIS Controls v7.1 12.1, 12.4
· NIST CSF v1.1 ID.AM-4, PR.AC-3
· CERT RMM v1.2 EXD:SG3.SP1
· NIST SP 800-53 Rev 4 AC-20, AC-20(1)