By Thomas Gerke, Utah PTAC
There are 17 practices in CMMC Level 1 that also map to NIST 800-171 capabilities. They fall into four general domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communication Protection, and System and Information Integrity. Your clients should be implementing these right now. The CMMC says these practices are “performed” and not just documented, managed, or optimized. The first four practices are in the Access Control (AC) domain are:
- AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
- AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute
- AC.1.003 -Verify and control/limit connections to and use of external information systems
- AC.1.004-Control information posted or processed on publicly accessible information systems.
AC.1.001 is all about access to your system. It requires your clients to identify who is allowed to use company computers and then create separate accounts for each user. They need to have practices in place to disable an employee account when they leave the company. Any device connected to their network must be approved and they must know who owns them.
AC.1.002 is about what each user can access. Your clients should limit their employees’ access to only the information they need. For example, non-IT employees do not need “admin” rights to the system. And payroll and other HR functions should be limited to HR staff. Your clients should use permissions to limit who can view sensitive information about their federal contracts.
AC.1.003 is about not sharing the company network. Your clients must keep their company network and computers separate from other businesses or their home network. For example, if they share a Wi-Fi network with other businesses in the same building there is the possibility of a breach. How many of your clients are in incubator or shared facilities? Does that present a problem? It is something for your clients to consider. Don’t put sensitive information on a device or network that isn’t secure.
AC.1.004 is about the cloud. Does your client use cloud storage? Things like Google Drive and Dropbox allow anonymous access without a password if you have not set the proper controls. Your clients need to make sure their accounts have good passwords. It could mean implementing a two-step authentication process. By now we are all familiar with the process of receiving a text or email with a one-time code for our banking transactions.