In this and succeeding entries, we will review one or two Practices per article, focusing on the description of the practice and the clarifying statement and examples provided within Appendix B of CMMC V 1.0. The second practice required to achieve Level 1 compliance under the CMMC standard falls under the second capability, Control internal system access (C002). This practice has the reference number, AC.1.002, and is titled, Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
The discussion details provided from the resource document, NIST SP 800-171 Rev. 2, states: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system related requirements (e.g., Time zone differences, customer requirements, remote access to support travel requirements).
In providing clarification of the above description, Appendix B provides the following: Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs. Essentially what you are doing as a business owner is configuring your IT system to limit access to certain parts of your system to only those individuals that should have access. Sometimes this is referred to as, Least privileged access. As an example, Appendix B states: You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log on to the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your co-workers in the shipping department cannot access information about payroll or paychecks.
As a business owner, though, you may have questions as to how to configure your system to limit information system access to the types of transactions and functions authorized users are permitted to execute. This is where you may need to bring in more IT technical support to ensure your system operates in this manner. At least with this defined expectation, you know what questions to be asking about this Practice and how you need to request your IT vendor/employee to set up your system. For those that have been successful, what suggestions/best practices have you found to be effective in complying with this Practice?
We will follow on with the third Practice in our journey towards CMMC Level 1 compliance in our next article.
by Mark R. Lupo, MBCP, SMP