CMMC Practice Number: AC.L2-3.1.13
CMMC Level: 2 CMMC Domain: Access Control (AC)
Practice Summary:
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
Practice Clarification (DOD, CMU)
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. This remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.
When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or -2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be
separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. This practice, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other practices dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
- Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.
Example
As a system administrator you are responsible for implementing a remote network access capability for users who work offsite. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b].
Potential Assessment Considerations
• Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.
Where To Look
- Access control policy;
- procedures addressing remote access to the system;
- system security plan;
- system design documentation;
- system configuration settings and associated documentation;
- cryptographic mechanisms and associated configuration documentation;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- System or network administrators;
- personnel with information security responsibilities;
- system developers.
Perform Test On
- Cryptographic mechanisms protecting remote access sessions.
Additional Information
The NIST SP 800-171 requirements for cryptography used to protect the confidentiality of CUI must use Federal Information Processing Standard (FIPS) validated cryptography, which
means the cryptographic module has been tested and validated to meet FIPS 140 requirements. Simply using an approved algorithm (e.g., FIPS 197 for AES) is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. When an application or device allows a choice (by selecting FIPS-mode or not), then the FIPS-mode has been validated under FIPS 140-2, but the other options (non-FIPS) allow certain operations that would not meet the FIPS requirements. More information is available at http://csrc.nist.gov/groups/STM/cmvp/
When NIST SP 800-171 requires cryptography, it is to protect the confidentiality of CUI. Accordingly, FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the company’s information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS-validated cryptography is required whenever the encryption is required to protect covered defense information in accordance with NIST SP 800-171 or by another DFARS contract provision. Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement (not currently in NIST SP 800-171) to encrypt data at rest (e.g., Personally Identifiable Information - PII) within the information system would require use of FIPS- validated cryptography.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
CMMC References:
· NIST SP 800-171 Rev 1 3.1.13
· CIS Controls v7.1 15.7, 15.8
· NIST CSF v1.1 PR.AC-3, PR.PT-4
· CERT RMM v1.2 KIM:SG4.SP1
· NIST SP 800-53 Rev 4 AC-17(2)