By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
CMMC Maturity Level (ML) 1 Practices: Overview of AC.L1-3.1.20
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
|Practice: Verify and control/limit connections to and use of external information systems.|
|[a] connections to external systems are identified;|
|[b] the use of external systems is identified;|
|[c] connections to external systems are verified;|
|[d] system access is limited to authorized users;|
|[e] connections to external systems are controlled/limited; and|
|[f] the use of external systems is controlled/limited.|
(source: CMMC ML-1 Assessment Guide)
Overview of AC.L1-3.1.20
AC.L1-3.1.20 focuses on controls around external systems that you use and that connect to your in-scope systems. The Assessment Objectives clearly identify a distinction between “connections to” and “the use of” external systems.
External system refers to systems or a component of a system that an entity does not control.
Connections to external systems refers network connections between your organization and external systems, for example where industry partners, subcontractors, and others might need to connect to your logistics system.
The use of external systems refers to systems to which an organization allows it employees to connect. The Assessment Guide specifically mentions personally owned devices connecting to corporate resources.
Connections to and the use of each have three requirements:
- That they be identified
- That they be verified
- That they be controlled/limited
Identification and verification are subtly different, and in most cases, they will go hand in hand. Simply put, this will require the organization to have documented knowledge of (identified) and authorized (verified) the use of external systems, which employees may connect to or which may connect to the company’s network. For example, if an employee uses a VPN to connect to the company network, is that connection known to the technology team and has it been approved?
|Key to Success|
|To demonstrate compliance with AC.L1-3.1.20 more readily, organizations should consider centralizing an inventory of external systems, the nature of the connection (inbound/outbound/port/protocol/etc.), the approval for the connection, and a description of any technical controls that may be implemented to limit/control the use of or the connection to the external system.|
Controlling and limiting connections could be any of a large variety of manual and technical controls that limits connections. Some examples of controls that satisfy the practice requirements are:
- Employee owned laptops should not be able to connect to the corporate domain.
- Inbound connections to company owned systems should, if practical, be allowed only from whitelisted IP addresses.
- Third-party contractors who access the company’s network from the contractors’ devices/networks must do so from a virtual desktop infrastructure (VDI) solution.
Prime Contractor A has a contract to organize a flight test and perform a survivability study on the telemetry data that is gathered during the flight test. Contractor A has a robust analysis team but lacks the expertise to organize and execute the flight test itself. Contractor A subcontracted the flight test to Contractor B, who specializes in flight tests.
To ingest flight test data, Contractor A has a web server with an API that is configured to receive data in a specified format. To grant Contractor B access to upload the data, an internal request from Contractor A’s Program Manager was submitted to the Chief Information Officer (CIO) who approved the request. The CIO’s technology team communicated with Contractor B’s technology team and identified the IP address of Contractor B’s server that would be submitting the data. Contractor B added the IP address to the allowed list on the firewall that protects the webserver and provided Contractor B an API key to authenticate their data transmissions.
This practice can be confusing because of how similar each of the Assessment Objectives appears and because the distinction between connections to and the use of is subtle. We do not recommend organizations be overly concerned in categorizing external systems as either systems that you use or connect to because the requirements are the same for each. Any external system, whether a connection is inbound or outbound, or it is a system that your employees use, are equally subject to the three requirements that you identify, verify, and control/limit.
Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.