When educating people on a complex, multi-dimensional topic, the best place to start is with its key, foundational information. That’s exactly what Celerium’s Certified CMMC Professional Course (CCP) does – it conveys the fundamental knowledge needed to train professionals supporting the implementation of CMMC.
Access Control (AC)
Audit & Accountability (AU)
Awareness & Training (AT)
Configuration Management (CM)
Identification & Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
Systems & Communications Protection (SC)
System & Information Integrity (SI)
Sponsored by Celerium
Sponsored by Celerium
These online-only courses provide CMMC training to companies looking to comply with CMMC. The courses are created by an experienced team of cybersecurity implementers with years of experience on NIST standards.
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.
DOMAIN: Access Control |
Practice:AC.L2-3.1.10
|
CAPABILITY: C002 Control Internal system access
|
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Demonstration of system pattern-hiding display images which can include static or dynamic images, such as patterns used with screen savers, photographic or clock images.
· Evidence of pattern hiding displays used when sessions are locked, and that session is locked after defined period of inactivity.
Click here to see details
Practice:AC.L2-3.1.11
|
CAPABILITY: C002 Control Internal system access
|
Terminate (automatically) user sessions after a defined condition. |
Threat Actors:
Session hijacking is a type of web attack that takes advantage of the active sessions and can be attempted if the attacker has your session ID. There are two primary session hijack methods:
i) Active: The attacker will take over the clients’ position in the communication exchange between the workstation and the server and act as one of the participants
ii) Passive: The attacker monitors traffic between the workstation/server looking for valuable data to intercept/steal.
An attacker could steal your session ID by doing the following:
i) Cross-site scripting can gather a session ID by running malicious code/script from the client side.
ii)An attacker could use a packet sniffer to obtain the session ID.
Assessment NOTES: A CMMC assessor may want to review, observe, or test the followingLists of organizationally defined conditions or trigger events that require an automatic session termination and inspect system configuration settings accordingly.
Click here to see details (additional assessment notes available)
Practice:AC.L2-3.1.12
|
CAPABILITY: C003 Control remote system access
|
Monitor and control remote access sessions. |
Threat Actors:
i) may use remote access software to target systems within networks.
ii) may use remote access protocols such as port 3389 to establish a remote desktop protocol session
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Policy and procedures to determine how the organization approves, manages, and monitors all user remote access.
· What protections are in place to limit remote access to only authorized users
· Are remote access sessions logged?
· Are remote access sessions encrypted?
· How access rights and restrictions applied to remote user connections
Remote access is defined as "user" access to an organization's system from an external network such as the internet.
Click here to see details
Practice:AC.L2-3.1.13
|
CAPABILITY: C003 Control remote system access
|
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Threat Actors:
Threat actors can compromise unsecured remote access sessions and infiltrate your network. Ransomware specifically designed to be deployed via Remote desktop Protocol includes strains such as CryptON, LockCrypt, Scarabey, Horsuke, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· An inventory of applications providing remote access.
· List of encryption methods used for protecting confidentiality and the integrity of remote sessions.
· Procedures addressing remote access
Click here to see details
Practice:AC.L2-3.1.14
|
CAPABILITY: C003 Control remote system access
|
Route remote access via managed access control points. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Policy and procedures addressing remote access to the system.
· List of all managed network access points
· External scans to identify any unauthorized access into the system.
There is also an expectation that management and configuration is under one departmental control and responsibility.
Click here to see details (additional assessment notes available)
Practice:AC.L2-3.1.15
|
CAPABILITY: C003 Control remote system access
|
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Organization policy, procedures for remote access system configurations and audit records of authorized remote access.
· Access control policy and system security settings where remote access is restricted.
Click here to see details
Practice:AC.L2-3.1.16
|
CAPABILITY: C002 Control Internal system access
|
Authorize wireless access prior to allowing such connections. |
Threat Actors:
i) may attempt a wardriving tactic where the hacker drives around looking for weak Wi-Fi networks. They typically map the locations and record the networks' names (SSIDs) and encryption settings.
ii) may attempt network sniffing where attackers monitor ("sniff") Wi-Fi network traffic in search of user names, passwords, and other personally identifiable information (PII).
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Policy, or procedure established for access and management of wireless access devices.
· System Security Plan to examine who approves the use of wireless technologies, what technologies are used, and how wireless access devices are monitored and controlled.
· Wireless access capabilities such as secure method used for authentication and encryption.
Click here to see details
Practice:AC.L2-3.1.17
|
CAPABILITY: C002 Control Internal system access
|
Protect wireless access using authentication and encryption. |
Threat Actors:
i) may attempt a wardriving tactic where the hacker drives around looking for weak Wi-Fi networks. They typically map the locations and record the networks' names (SSIDs) and encryption settings.
ii) may attempt network sniffing where attackers monitor ("sniff") Wi-Fi network traffic in search of user names, passwords, and other personally identifiable information (PII).
Assessment NOTES: A CMMC assessor may want to review, observe, or test the followingLists of authorized users compared with system accounts for verification. The authorization list should be dated and signed by a designated individual who has been granted the role and responsibility for authorizing access to wireless communications.
Click here to see details (additional assessment notes available)
Practice:AC.L2-3.1.18
|
CAPABILITY: C002 Control Internal system access
|
Control connection of mobile devices. |
Threat Actors:
Threat actors/attackers can take advantage of several mobile threats, such as:
i) Malware/ransomware delivered via email or SMS
ii) Cryptocurrency mining
iii) Exploiting Android vulnerabilities
Corporate devices should never be connected to publicly available/unsecured Wi-Fi access points such as coffee shops or airports where network spoofing is prevalent.
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· System Security Plans or other policy for controlling mobile device connectivity.
· Mobile device authorizations and approvals for connection to organizational systems and networks.
· System configurations and settings for managing mobile device connectivity and audit records of mobile device connectivity to company systems and networks
Click here to see details
Practice:AC.L2-3.1.19
|
CAPABILITY: C004 Limit data access to authorized users and processes
|
Encrypt CUI on mobile devices and mobile computing platforms. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Mobile devices such as smart phones and tablets for configuration settings that enable full disk encryption (FDE).
· Vendor documentation and verification of encryption modules with NIST Cryptographic Model Validation Program (CMVP)
Practice:AC.L2-3.1.21
|
CAPABILITY: C001 Establish system access requirements
|
Limit use of portable storage devices on external systems. |
Threat Actors:
i) may use flash/thumb drives to install malicious software/malware
ii) may use external hard drives to install malicious software/malware
iii) may use a nefarious third party actor or conspirator to connect a malicious USB device to a computer so that malware can be installed
· Company documentation (such as policies and procedures) on the use of portable storage devices such as thumb drives or external hard disks.
· Documents or records to evidence how devices are controlled i.e., who approves, who assigns, what are the restrictions on how devices may be used?
Click here to see details
Practice:AC.L2-3.1.3
|
CAPABILITY: C004 Limit data access to authorized users and processes
|
Control the flow of CUI in accordance with approved authorizations. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Policy and procedures on methods used to control the flow of information within the organization.
· Additional information such as design documents to demonstrate mechanism enforced by network and application layer device configurations.
Flow control includes the use of network devices (such as routers and switches), firewalls, or other devices that regulate where information can travel within an information system or the organization.
Click here to see details
Practice:AC.L2-3.1.4
|
CAPABILITY: C002 Control Internal system access
|
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Administrator accounts and system user accounts to ensure that separate accounts are implemented.
· Roles and responsibilities for those with security and privileged access rights.
· Organizational policy and procedures for the use of accounts with privileged access rights.
Practice:AC.L2-3.1.5
|
CAPABILITY: C002 Control Internal system access
|
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
Threat Actors:
i) may compromise a privileged user and use their account to gain further access within a network
ii) may take advantage of a company that does not practice the principle of least privilege by hacking into lower echelon users who are more susceptible to compromise via phishing
iii) may employ a privilege escalation tactic and elevate themselves through the system to gain access to sensitive/protected resources
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Selected user accounts and privileges
· Evidence that the organization restricts access to privileged functions and security information to authorized individuals.
The principle of "least privilege" requires that users, programs, or processes can only have access to information and resources that are needed and only those privileges that are essential for the intended function or purpose.
Click here to see details
Practice:AC.L2-3.1.6
|
CAPABILITY: C002 Control Internal system access
|
Use non-privileged accounts or roles when accessing non-security functions. |
Threat Actors:
i) may take advantage of the misuse of privileged/non-privileged accounts and access system resources that may otherwise be restricted to users with specific account permissions
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· System configuration and account settings
· System audit records or related documentation
· List of system-generated security functions assigned to system accounts or roles
· List of administrative accounts or other users with privileged and non-privileged accounts and determine their intended use via demonstration or explanation.
It is a good security practice that privilege accounts are not used for non-privileged functions.
Click here to see details
Practice:AC.L2-3.1.7
|
CAPABILITY: C002 Control Internal system access
|
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
Threat Actors:
Threat actors can take advantage of both privileged and non-privileged accounts.
A successful attacker could:
i) compromise a privileged user and use their account to gain further access within a network
ii) take advantage of a company that does not practice the principle of least privilege by hacking into lower echelon users who are more susceptible to compromise via phishing
iii) employ a privilege escalation tactic and elevate themselves through the system to gain access to sensitive/protected resources
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Policy and procedures that addresses access to auditing of privileged functions.
· System user accounts and associated privileges to ensure that access to audit functions is limited to authorized security personnel.
Click here to see details
Practice:AC.L2-3.1.8
|
CAPABILITY: C002 Control Internal system access
|
Limit unsuccessful logon attempts. |
Threat Actors:
i) may perform a brute force logon tactic that could otherwise go unnoticed if the limiting of unsuccessful logon attempts is not practiced.
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· System limits the number of invalid logon attempts
· System is configured to lock users after a predetermined number of invalid attempts
· System enforces a limit on the number of consecutive invalid access attempts by a user during a specific time-period
Multiple unsuccessful logon attempts may indicate malicious attacks on the system.
Click here to see details
Practice:AC.L2-3.1.9
|
CAPABILITY: C001 Establish system access requirements
|
Provide privacy and security notices consistent with applicable CUI rules. |
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following
· Logon screen display notices that users see upon initial logon, or when accessing a system
· The system use information displayed before granting access
· Records of user acknowledgements for system use notifications
· Policy or procedures to determine how often users are required to acknowledge system use notifications
Click here to see detailsCopyright © 2022 Celerium. All Rights Reserved.