March 13, 2024
When you're lost, dive into the AOs
This past week, a newbie to an online forum focused on 800-171 asked for help with 3.4.2 ("Establish and enforce security configuration settings for information technology products employed in organizational systems.") This person wrote "I'm kind of lost. How exactly do I do this?"
My advice was to step through the assessment objectives (AOs) in 800-171a. That's where all the answers lie! AOs are also called "determination statements" because they all start with "Determine if ..." For this control, 3.4.2, we have only two (whew!).
Determine if:
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
What does "established" mean? Remember, it's important to learn "NIST speak" if you plan to achieve CMMC L2 compliance. In this context, established means that someone has made a decision and made that decision known, typically through documentation.
Let's take your firewall rules for example. If I look at your firewall configuration, I may see that certain countries are blocked entirely (typically enemies of the US and other countries with known threat actors). How did those blocks get put in? Someone decided that this was a prudent thing to do. Who decided that? Under what authority?
There should be a record of this somewhere. A support ticket, an email from the business owner, a hand-written notation on the recommended settings document provided by the vendor who sold you the firewall, a notation in the firewall configuration file itself. This record proves that a baseline configuration setting was established. If this setting is actually in place in the firewall configuration file, then a copy of that should be stored somewhere as the baseline configuration for the firewall.
Determine if:
[b] security configuration settings for information technology products employed in the system are enforced.
Is the configuration actually done in the firewall? Does it work? This might need to be tested, and the test could be documented.
Now you have met these two AOs for your firewall, and you have documented them. You have evidence for your assessment. Good job!
Seriously, I cannot stress enough the importance of NIST SP 800-171a in your compliance program. Remember, a control is not MET unless every one of the AOs for that control are MET. If you aren't paying attention to the AOs, you are probably overscoring yourself. An assessor will catch this pretty quickly.
If you are lost, too, you know where to find me!
Upcoming Virtual Workshops:
CMMC 101: An Introduction to CMMC
Are you feeling pressure to prepare for CMMC -- but don't know how to begin? This virtual workshop will get you started!
Wednesday, April 10 @ 10am - 12pm (CT)
CMMC 102: Understanding the Requirements of L1
This deep-dive into the security requirements of CMMC Level One will focus on the assessment objectives and evidence.
Wednesday, April 17 @ 10am - 12pm (CT)
How old is your SPRS self-assessment score? Might want to review this. |
Sincerely,
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!