August 18, 2021
Good morning, everyone!
In this next segment of my series “Understanding the CMMC assessment guides” I want to look at the very first practice in ML1, which is also one of the most misunderstood practices (in my experience over the past few years).
AC.1.001: ”Authorized” users vs. “Authenticated” users
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
What does this mean exactly? The most common thing I hear is “All our users have their own logins and passwords.” Okay, that’s a good basic security practice, but that doesn’t address AC.1.001. Those are authenticated users (so this meets an objective of IA.1.077) but they aren’t necessarily “authorized” users. What is an authorized user?
In the context of CMMC (and NIST 800-171) applicability, “authorized users” are individuals who require access to FCI/CUI to perform their job duties. Quoting from the NIST CSRC definition of “authorized user” at https://csrc.nist.gov/glossary/term/authorized_user:
Any appropriately cleared individual with a requirement to access an information system (IS) for performing or assisting in a lawful government purpose.
The key phrase is “requirement to access.” Employees who do not require access to FCI/CUI are not authorized users. “System access” (where the system includes anywhere that FCI/CUI is “stored, processed or transmitted”) must be restricted to authorized users, rather than being accessible to large swaths of the employee base.
How do you identify authorized users? Well, someone in authority needs to make that decision, and it needs to be written down. There should be a (written) policy, a standard (documented) process. For example, when a new contract is received, the person or group with primary responsibility for that contract decides who will be working on that contract. They then notify the designated person in the IT department that this list of people need access to that contract data. (Not all contract data! Just *this* contract data.) They may also need to notify someone in physical security that this list of people will need access to the work areas for this contract. The details will vary according to each organization and contract, but the principle (process) is the same.
The people on this list are now authorized users. Make sense?
Remember the CMMC is a data-centric model -- it's not about securing systems or facilities, it's about protecting specific data anywhere it is stored, processed or transmitted. This may require restricting access at a much more detailed level than your organization is currently practicing.
As you begin preparing for your eventual CMMC assessment, you need to take a hard look at how you protect FCI/CUI, and make certain that only authorized users have access to those systems, and that even authorized users have access only to the protected data they need to access in order to perform their jobs.