This blog discusses strategies for monitoring the effectiveness of security requirements. Control assessments are infrequent, often occurring only once per year. Continuous monitoring activities can provide better awareness of threats, vulnerabilities, and control effectiveness.
NIST SP 800-137 defines the information security continuous monitoring (ISCM) process:
Define an ISCM program
Establish an ISCM program
Implement an ISCM program
Analyze data and Report findings
Respond to findings; and
Review and Update the ISCM strategy
The purpose of this post is to define an ISCM for CMMC Level 1 security requirements. The proposed ISCM consists of the following tasks:
Adoption of these tasks does not constitute implementation of CMMC Level 1. Rather, these strategies supplement configurations of hardware and software. A continuous monitoring responsibility matrix identifies the assessment objectives met by these activities.
Create and Maintain a List of Authorized Accounts
This task focuses on maintaining account authorizations for persons and non-person entities (NPEs).
ICS 500-30 defines several types of non-person entities, including:
servers
services
processes
applications
end-point devices
network devices
ICS 500-30 also identifies attributes relevant to authorized accounts, including:
Unique digital identifier
Entity type
Life cycle status (for NPEs)
Role
This task requires an authorization for each account. Authorization should come from the CIO/CISO or their delegate. AC-2 within NIST SP 800-53 states that authorization should occur before granting access.
Once developed, the following tasks help maintain the authorized account list:
Maintaining an authorized account list helps meet the following CMMC Level 1 objectives:
AC.L1-b.1.i(a) identifying authorized users
AC.L1-b.1.i(b) identifying processes acting on behalf of authorized users
Evidence:
procedures addressing account management
list of active system accounts and the names of the associated individuals
access authorization records
Policy Statement
Account Management
Requests to establish new accounts require appropriate authorization
System Access Briefings
Briefing users on their responsibilities helps ensure appropriate access and privileges. The DCSA Assessment and Authorization Process Manual Version 2.2 recommends covering:
Safeguarding information & systems
Protecting & acceptable media use
Authorized data and system use
Reporting security incidents
Challenging unauthorized personnel
Access aligns with approvals
Security and awareness training
Sign all logs, forms and receipts
MACD procedures
Copyright laws
Licensing agreements
Data transfer procedures
Social Media policy
Password requirements
Brief users before granting access to the system and once a year thereafter. Documenting briefings establishes evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.i(a) identifying authorized users
AC.L1-b.1.i(d) limiting system access to authorized users
AC.L1-b.1.ii (a) defining the permitted types of transactions and functions
Evidence:
account management compliance reviews
Policy Statement
Account Management
IT reviews and monitors authorized accounts
Access Enforcement
Job requirements form the basis of authorizations granting access to systems and data.
Review of Account Access
Reviewing account access is best performed at the application layer. The application manager should know the access requirements for all users.
NIST SP 800-12 provides some guidance on what to examine during these reviews:
Levels of access for each account
Conformity with the concept of least privilege
Whether all accounts are still active
Whether management authorizations are up-to-date
Completion of required training
Reviews should occur every month. The review should include signing an access approval list that documents the approvals.
Documenting reviews establishes evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.i(a) identifying authorized users
AC.L1-b.1.i(b) identifying processes acting on behalf of authorized users
AC.L1-b.1.i(d) limiting system access to authorized users
AC.L1-b.1.i(e) limiting system access to processes acting on behalf of authorized users
Evidence:
List of active system accounts and the names of the associated individuals
Notifications or records of recently transferred, separated, or terminated employees
List of recently disabled system accounts along with the names of associated individuals
Access authorization records
System audit logs and records
Policy Statement
Account Management
IT revokes access for any terminated users
IT disables accounts with 30 days of inactivity
IT tracks and monitors role assignments for privileged user accounts
IT disables or removes default accounts
Review of Account Types
Organizations may define account types to define access privileges. Reviewing account types helps ensure compliance with account management requirements.
AC-2 within NIST SP 800-53 discusses some points to cover during these reviews:
Intended system usage
Temporary or emergency accounts are only utilized for a short period of time
No shared, group, anonymous, or guest accounts
Specialized training requirements for some types of system accounts
Organizations should perform this task at least quarterly. Documenting that this review establishes evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.ii (b) limiting system access to the defined types of transactions and functions
Evidence:
List of conditions for group and role membership
Policy Statement
Account Management
IT terminates access for temporary and emergency accounts when no longer needed
Update System Component Inventory
Organizations should maintain system component inventories, including system-specific information, for component accountability. Unauthorized devices render the system vulnerable to exploits. An up-to-date system component inventory also enables effective system patching. Given these risks, maintaining the component inventory requires frequent monitoring or automated tools. Automated tools discover assets and catalog their hardware, software, and firmware.
NIST recommends the following metrics relevant to the component inventory:
Software version numbers
Hardware inventory specifications
Software license information
Machine names
Network addresses (IPv4, IPv6)
Date of receipt
Make & Model
Supplier information
Component type
Physical location
Organizations should define a frequency to refresh these metrics (hourly, daily, or weekly). The FedRAMP Moderate baseline requires updating the inventory monthly or when components change. Updating the component inventory establishes evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.i (c) identify devices (and other systems) authorized to connect to the system
AC.L1-b.1.i (f) limit system access to authorized devices (including other systems)
IA.L1-b.1.v (c) identify devices accessing the system
Evidence:
System monitoring records
System audit logs and records
List of devices and systems authorized to connect to organizational systems
Policy Statement
Mobile Devices
Only approved, owned, and maintained mobile devices may connect to the system
System Component Inventory
The IT department maintains an inventory of system assets that:
Reflects the current system
Includes all components within the authorization boundary
Includes granularity deemed necessary for tracking and reporting
Update Network Diagram
A network diagram shows a perspective of the network, not the whole network. Network diagrams may show connections, layers of access, network routing, or data flow. Network diagrams should address and depict components reflected in the authorization boundary, and:
Subnetting
Location of DNS servers
Organizations should update the network diagram at least once per year. Adding or removing system components should prompt more frequent updates.
Updating the network diagram establishes evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.iii (a) identify connections to external systems
AC.L1-b.1.iii (b) identify the use of external systems
AC.L1-b.1.iii (e) control/limit connections to external systems
SC.L1-b.1.x (a) define the external system boundary
SC.L1-b.1.x (b) define key internal system boundaries
SC.L1-b.1.xi (a) identify publicly accessible system components
SC.L1-b.1.xi (b) separate subnetworks for publicly accessible system components from internal networks
Evidence:
system design documentation
system configuration settings and associated documentation
list of applications accessible from external systems
list of key internal boundaries of the system
boundary protection hardware and software
enterprise security architecture documentation
Policy Statement
Information System Connections
Only organization-owned authorized devices may connect to the network
Guest access is available on a separate network
Boundary Protection
The IT department will:
Implement a firewall at each internet connection
Implement a firewall between any DMZ and the internal network
Create and maintain current network diagrams
Restrict inbound and outbound traffic to authorized business purposes
Review Website Content
Organizations should review content on systems accessible to the public for nonpublic information. Systems accessible to the public include company-controlled websites, public forums and social media. If discovered, organizations should remove and address improper posting of nonpublic information.
Nonpublic information includes:
Information protected under the Privacy Act
Federal Contract Information (FCI)
Controlled Unclassified Information (CUI)
Proprietary information
The FedRAMP Moderate baseline requires at least a quarterly review [NIST SP 800-53 AC-22(d)]. Reviewing publicly accessible systems creates evidence for the following CMMC Level 1 objectives:
AC.L1-b.1.iv (d) review content on publicly accessible systems to ensure that it does not include FCI
AC.L1-b.1.iv (e) mechanisms are in place to remove and address improper posting of FCI
Evidence:
Records of publicly accessible information reviews
Records of response to nonpublic information on public websites
Policy Statement
Publicly Accessible Content
The Marketing department controls information posted on systems accessible to the public by:
Reviewing the content for nonpublic information
Removing nonpublic information if discovered
Maintain an Authorized Personnel Access List
Organizations should develop, approve, and maintain a list of personnel with authorized access. Access refers to areas within a physical space that are not accessible to the public. Organizations should issue credentials to authorized personnel. When access is no longer required, organizations should revoke access credentials.
Credentials may include:
Identification cards
Building passes
Keys
Smart cards
The FedRAMP Moderate baseline requires at least an annual review of the access list [NIST SP 800-53 PE-2(c)]. Reviewing the access list creates evidence for the following CMMC Level 1 objectives:
PE.L1-b.1.viii (a) - identify authorized individuals allowed physical access
PE.L1-b.1.viii (d) - limit physical access to environments to authorized individuals
Evidence:
Authorized personnel access list
Physical access list reviews
Policy Statement
Physical Access Authorizations
The security office:
approves and maintains a list of personnel with authorized access to the facility
reviews the access list and removes personnel no longer requiring access
Review Physical Access Logs
Organizations should maintain logs of access to areas not accessible to the public. This applies to employees, individuals with physical access authorization credentials, and visitors.
Visitor access records should include the following details:
Names and organizations
Visitor signatures
Forms of identification
Dates of access
Entry and departure times
Purpose of visits
Names and organizations of individuals visited
The FedRAMP Moderate baseline requires at least a monthly review of these logs [NIST SP 800-53 PE-6 (b) and PE-8 (b)]. Organizations should maintain records for at least one year [NIST SP 800-53 PE-8 (a)].
Reviewing physical access logs establish evidence for the following CMMC Level 1 objectives:
PE.L1-b.1.ix (c) - maintain audit logs of physical access
Evidence:
Physical access control logs or records
Policy Statement
Physical Access Control
The security office:
Maintains and reviews physical access audit logs
Check for New Vulnerabilities
Organizations may identify potential system flaws through automated and manual methods. An automated method may include running vulnerability scans on a scheduled frequency. A manual method may involve identifying how system component manufacturers communicate security updates. Advisories are sometimes issued before the availability of patches. Communication methods include mailing lists and RSS feeds.
Another manual method may include reviewing cybersecurity advisories from trusted sources:
US-CERT - Cybersecurity Subscriptions
Known Exploited Vulnerabilities Catalog
Cybersecurity Advisories
Vulnerability Bulletins
ICS Cybersecurity Advisories
CISA Community Bulletin
MS-ISAC - Public Subscriptions
Cybersecurity newsletters
Advisories on known vulnerabilities
The frequency organizations identify flaws affects the corresponding reporting and corrective action frequencies. The FedRAMP Moderate baseline requires the installation of security updates within 30 days of their release [NIST SP 800-53 SI-2(C)]. The combined frequency to identify, report, and patch system flaws should be less than 30 days.
Checking for new vulnerabilities establishes evidence for the following CMMC Level 1 objectives:
SI.L1-b.1.xii (a) - specify the time within which to identify system flaws
SI.L1-b.1.xii (b) - identify system flaws within the specified time frame
Evidence:
List of flaws and vulnerabilities potentially affecting the system
Policy Statement
Security Alerts, Advisories, and Directives
The IT office analyzes security alerts and advisories and takes appropriate actions.
Vulnerability scanning
Vulnerability scanning activities include analysis of internal and external scans
Vulnerability Reporting
Organizations should have a documented process to analyze vulnerabilities and categorize their severity. Reporting should also include the appropriate risk response.
NIST SP 800-40 identifies the following risk responses to known vulnerabilities:
Accept
Mitigate
Transfer
Avoid
Mitigating activities may rely on the manufacturer releasing a patch. The organization may remove the vulnerable system component until the patch becomes available. NIST SP 1800-31 defines non-critical (routine) and critical (emergency) system patching:
Non-Critical System Patching - an established procedure that releases patches regularly. Routine patching includes endpoint firmware, OS, and applications, server OS and applications.
Critical System Patching - an emergency procedure to address extreme severity vulnerabilities. Extreme vulnerabilities include those with documented exploitation in the wild.
The FedRAMP Moderate baseline requires updates within 30 days of their release [NIST SP 800-53 SI-2(C)]. Thus, the combined frequency to identify, report, and patch systems should be less than 30 days. Reporting for new vulnerabilities establishes evidence for the following CMMC Level 1 objectives:
SI.L1-b.1.xii (c) - specify the time within which to report system flaws
SI.L1-b.1.xii (d) - report system flaws within the specified time frame
Evidence:
List of flaws and vulnerabilities potentially affecting the system
Policy Statement
Vulnerability scanning
Vulnerability scanning activities include reporting identified vulnerabilities
System Patching
Organizations should follow a documented procedure for applying system patches. Planning patch deployments involves considering the type of software, platform, and environmental limitations. NIST SP 800-40 provides common steps for preparing to deploy a patch:
Prioritize the patch
Schedule patch deployment
Acquire the patch
Validate the patch
Test the patch
Monitor deployed patches
The FedRAMP Moderate baseline requires updates within 30 days of their release [SI-2(C)]. Thus, identifying, reporting, and patching systems should occur within 30 days. Patching vulnerabilities establishes evidence for the following CMMC Level 1 objectives:
SI.L1-b.1.xii (e) - specify the time within which to correct system flaws
SI.L1-b.1.xii (f) - correct system flaws within the specified time frame
Evidence:
List of recent security flaw remediation actions performed on the system
List of installed patches, service packs, hotfixes, and other software updates
Test results from the installation of software and firmware updates to correct system flaws
Installation/change control records for security-relevant software and firmware updates
Policy Statement
Vulnerability scanning
Vulnerability scanning activities include remediation with a risk-based approach
Develop and Maintain a Maintenance Log
Maintaining information systems is critical for performance. A Maintenance Log should record maintenance and diagnostic activities performed on system components. The maintenance log may include documentation on:
Configuration baseline
Change control board changes
System and log backups
Updated system components
System patching
Antivirus updates
Sanitization records
Maintenance tools
Maintenance personnel
Malicious code protection mechanisms (antivirus) should update automatically. Keeping antivirus current with the latest signature and updates improves malware detection. Reviewing the maintenance log weekly verifies the antivirus solution is up to date.
The maintenance log should also include sanitization records of all system media. Sanitization log details should include:
Personnel and actions performed
Types of media sanitized
Files stored on the media
Sanitization methods used
Date and time of sanitization actions
Verification actions taken
Reviewing a maintenance logs establishes evidence for the following CMMC Level 1 objectives:
MP.L1-b.1.vii (a) sanitize or destroy system media containing [FCI] before disposal
MP.L1-b.1.vii (b) sanitize media containing [FCI] before release for reuse
SI.L1-B1.xiv (a) update malicious code protection mechanisms when new releases are available
Evidence:
Media sanitization records
Records of malicious code protection updates
Policy Statement
System Maintenance
The IT office will schedule, perform, document and review system maintenance
Maintenance Personnel
The IT Office will maintain a list of authorized maintenance personnel
Conclusion
We defined these tasks to gauge the efficacy of basic security requirements. We understand these tasks offer only partial fulfillment of CMMC Level 1 requirements. These tasks should complement hardware and software configurations, policies and procedures. By implementing an ISCM program, you establish a foundation for CMMC Level 2.
Thoughts from KNC Strategic Services, an Authorized C3PAO:
Preparing for passing a CMMC assessment is a big undertaking. Following the practices in this guide will better prepare you for the assessment. You will have your evidence organized and ready. You will be able to prove how you are meeting the requirements. In an assessment, evidence is everything. The more you can prove up front, the faster an assessment will go. So get your CMMC ducks in a row.