April 19, 2023
Commonly misunderstood practices in CMMC
One of the most interesting and useful aspects of the Certified CMMC Assessor (CCA) class I recently finished was learning the true meaning behind some of the most misunderstood practices in CMMC, both L1 and L2 (note that of the three controls I discuss in this edition, two are L1 and one is L2). Truthfully, a few of these I had even misunderstood myself. Here are three I'd like to share with you this week:
AC.L1-3.13.5 Public-Access System Separation "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
I have found two aspects of this practice that are often misunderstood:
- "Publicly accessible system components" -- most people assume this means websites. Yes, it does, but the CMMC L2 Assessment Guide (in AC.L1-3.1.22 Discussion) tells us that publicly accessible systems are "accessible to the public, typically without identification or authentication." Additional examples given are "VPN gateways, publicly accessible cloud services."
- Logical separation is typically accomplished through virtual networks (VLANs) or DMZs. It is important to note, however, that logical separation is only accomplished if the VLAN/DMZ has access controls to restrict traffic to and from the protected environment(s), preferably deny by default and allow by exception (see SC.L2-3.13.6).
AC.L1-3.1.20 External Connections: "Verify and control/limit connections to and use of external information systems."
It's the "Verify" that is often misunderstood. It is typically understood to mean that the connections to external systems must be verified, but reading the CMMC L2 Assessment Guide Discussion, we find:
Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. [...] Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means
So this control is actually requiring you to verify that any external systems in use are actually implementing the security controls necessary to protect the information they are processing, storing or transmitting for you. Too many organizations believe that using cloud services is a "Get out of CMMC Free Card" but it's not. If you are using cloud services to process, store or transmit protected data (whether FCI or CUI), it is your responsibility to understand the requirements and verify that the cloud service is meeting them.
SC.L2-3.13.13 Mobile Code: "Control and monitor the use of mobile code."
I have seen a lot of SSPs mark this one N/A (and remember, you really don't want to mark anything N/A). When I ask what is the justification for this, they say "we don't have any mobile apps" or "we don't allow mobile devices." That's not what this control is about!
In this instance, the word "mobile" refers to the code's ability to be run on different platforms, with or without the knowledge and consent of the user.
How are you controlling and monitoring the use of mobile code in your information systems?
Need help? You know where to find me!