DoD Contractor Considerations for CMMC Practice Guide AC.1.003

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide AC.1.003

CMMC Maturity Level (ML) 1 Practices: Overview of AC.1.003


Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.


Practice Number: AC.1.003
Practice: Verify and control/limit connections to and use of external information systems.
Assessment Objectives
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] system access is limited to authorized users;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.

(source: CMMC ML-1 Assessment Guide)


Overview of AC.1.003

AC.1.003 focuses on controls around external systems that you use and that connect to your in-scope systems. The Assessment Objectives clearly identify a distinction between “connections to” and “the use of” external systems.

External system refers to systems or a component of a system that an entity does not control.

Connections to external systems refers network connections between your organization and external systems, for example where industry partners, subcontractors, and others might need to connect to your logistics system.

The use of external systems refers to systems to which an organization allows it employees to connect. The Assessment Guide specifically mentions personally owned devices connecting to corporate resources.

Connections to and the use of each have three requirements:

  • That they be identified
  • That they be verified
  • That they be controlled/limited

Identification and verification are subtly different, and in most cases, they will go hand in hand. Simply put, this will require the organization to have documented knowledge of (identified) and authorized (verified) the use of external systems, which employees may connect to or which may connect to the company’s network. For example, if an employee uses a VPN to connect to the company network, is that connection known to the technology team and has it been approved?


Key to Success
To demonstrate compliance with AC.1.003 more readily, organizations should consider centralizing an inventory of external systems, the nature of the connection (inbound/outbound/port/protocol/etc.), the approval for the connection, and a description of any technical controls that may be implemented to limit/control the use of or the connection to the external system.

Controlling and limiting connections could be any of a large variety of manual and technical controls that limits connections. Some examples of controls that satisfy the practice requirements are:

  • Employee owned laptops should not be able to connect to the corporate domain.
  • Inbound connections to company owned systems should, if practical, be allowed only from whitelisted IP addresses.
  • Third-party contractors who access the company’s network from the contractors’ devices/networks must do so from a virtual desktop infrastructure (VDI) solution.

AC.1.003 Example

Prime Contractor A has a contract to organize a flight test and perform a survivability study on the telemetry data that is gathered during the flight test.  Contractor A has a robust analysis team but lacks the expertise to organize and execute the flight test itself.  Contractor A subcontracted the flight test to Contractor B, who specializes in flight tests.

To ingest flight test data, Contractor A has a web server with an API that is configured to receive data in a specified format. To grant Contractor B access to upload the data, an internal request from Contractor A’s Program Manager was submitted to the Chief Information Officer (CIO) who approved the request.  The CIO’s technology team communicated with Contractor B’s technology team and identified the IP address of Contractor B’s server that would be submitting the data.  Contractor B added the IP address to the allowed list on the firewall that protects the webserver and provided Contractor B an API key to authenticate their data transmissions.


Conclusion


This practice can be confusing because of how similar each of the Assessment Objectives appears and because the distinction between connections to and the use of is subtle. We do not recommend organizations be overly concerned in categorizing external systems as either systems that you use or connect to because the requirements are the same for each. Any external system, whether a connection is inbound or outbound, or it is a system that your employees use, are equally subject to the three requirements that you identify, verify, and control/limit.

Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.

 

Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us