March 6, 2024
The second most important control
A couple of weeks ago, I mentioned that I consider 3.1.3: Control the flow of CUI to be the most important of all 110 controls in NIST SP 800-171. This week I'm going to talk about what I consider the second most important -- and it's so important, that it's also in the FAR 52.204-21 "Basic Safeguarding Rule" for FCI! In CMMC, it's a Level One control for FCI as well as Level Two for CUI:
CMMC Level One: AC.L1-b.1.iii – External Connections [FCI Data]
CMMC Level Two: AC.L2-3.1.20 – External Connections [CUI Data]
Verify and control/limit connections to and use of external information systems.
How would you assess your implementation of this control? Whether L1 for FCI or L2 for CUI, the control and the assessment objectives (AOs) are the same:
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
But we should probably start with the definition of an "external system":
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of FCI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.
The most common external systems in organizations today are cloud services. There may also be third-party connections to your network for purposes of transferring data for processing. For example, those little counter boxes on the leased copy machines that send the page count to your vendor every week are external connections!
Okay now that we understand what is an external system, let's turn to the three verbs in this control: Verify, control and limit. These are the actions we need to take with respect to external systems. Let's go back to the AOs:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
How do we identify connections to external systems? How do we identify the use of external systems? In NIST speak, "identify" generally means someone high up the org chart has made a decision about which of these things are okay and which are not. Assessors will be looking for a list of which external systems have been approved, who is using them, for what purpose, and how. A common example would be that everyone is authorized to use Office 365 for business email and file storage, but not for personal email or file storage.
I say this is the second most important control because in nearly every security assessment we have ever done, we have discovered (through employee interviews) that there are multiple cloud services in use that were never approved and have not been verified by IT.
[c] connections to external systems are verified;
[d] the use of external systems is verified;
So what does "verify" mean in this context? This is something many people misunderstand. Here, verify means that you have verified that the external system meets your organization's security requirements. If that external system will handle FCI, it needs to meet the requirements of the FAR 52.204-21 "Basic Safeguarding Rule." If it will handle CUI, it needs to meet the requirements of DFARS 7012 (and if it's a cloud service provider, will also need to be FedRAMP Moderate Equivalent).
[e] connections to external systems are controlled/limited;
[f] the use of external systems is controlled/limited.
How do you control/limit connections to identified external systems? Well, perhaps you have a policy (with employee training) or a technical rule in place that O365 can only be accessed by company devices. Hopefully you have a policy (with employee training) on which cloud services are authorized to handle FCI and/or CUI. Maybe you have firewall rules in place that restrict that copy counter box to access only approved IP addresses? Do you have network rules in place to prevent that copy counter box from accessing your server? Do you have logging/monitoring/alerting in place that would warn you of unauthorized access, or if unauthorized cloud services were being used? Do you have a procedure in finance that all credit card charges are identified, and no cloud services may be paid for with company credit card unless they have written approval from someone in authority to use that cloud service?
What are some other ways you can think of to control/limit connections to external information systems? I'd love to hear from you!
Meanwhile, if you need help with your CMMC preparation, you know where to find me!
How old is your SPRS self-assessment score? Might want to review this. |
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!