Access Control Level 1

CMMC level 1 is a foundational level for CMMC Cyber security compliance.  It forms the initial building block for all other levels of cyber maturity

AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems.  Access enforcement mechanisms can be employed at the application and service level to provide increased information security.  Other systems include systems internal and external to the organization.  This requirement focuses on account management for systems and applications.  The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2 (AC.1.002).

CMMC CLARIFICATION

Control who can use company computers and who can log on to the company network.  Limit the services and devices, like printers, that can be accessed by company computers.  Set up your system so that unauthorized users and devices cannot get on the company network.

Example 1

You are in charge of IT for your company.  You give a username and password to every employee who uses a company computer for their job.  No one can use a company computer without a username and a password.  You give a username and password only to those employees you know have permission to be on the system.  When an employee leaves the company, you disable their username and password immediately.

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multifunction printer/scanner/fax device and make it available on the company network.  You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network.  You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

REFERENCES

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 1 3.1.1
  • CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
  • AU ACSC Essential Eight

AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both.  System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.  Other attributes required for authorizing access include restrictions on time-of-day, day-ofweek, and point-of -origin.  In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

CMMC CLARIFICATION

Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs.

Example

You are in charge of payroll for the company and need access to certain company financial information and systems.  You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data.  Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

REFERENCES

  • FAR Clause 52.204-21 b.1.ii
  • NIST SP 800-171 Rev 1 3.1.2
  • CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17

AC.1.003: Verify and control/limit connections to and use of external information systems. 

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems.  External systems include personally owned systems, components, or devices and privatelyowned computing and communications devices resident in commercial or public facilities.  This requirement also addresses the use of external systems for the processing, storage, or transmission of Federally Contracted Information, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.

Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures.  Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems.  If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems.  In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems.  Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.

Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case.  Regarding the protection of Federally Contracted Information across an organization, the organization may have systems that process Federally Contracted Information and others that do not.  And among the systems that process Federally Contracted Information there are likely access restrictions for Federally Contracted Information that apply between systems.  Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.

CMMC CLARIFICATION

Make sure to control and manage connections between your company network and outside networks, such as the public internet or a network that does not belong to your company.  Be aware of applications that can be run by outside systems.  Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information.  You can also choose to limit how and when your network is connected to outside systems and/or decide that only certain employees can connect to outside systems from network resources.

Example

You help manage IT for your employer.  You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.  Part of the proposal includes Federal Contract Information, or FCI.  FCI is information that you or your company get from doing work for the Federal government.  Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

REFERENCES

  • FAR Clause 52.204-21 b.1.iii
  • NIST SP 800-171 Rev 1 3.1.20
  • CIS Controls v7.1 12.1, 12.4
  • NIST CSF v1.1 ID.AM-4, PR.AC-3
  • CERT RMM v1.2 EXD:SG3.SP1
  • NIST SP 800-53 Rev 4 AC-20, AC-20(1)
AC.1.004: Control information posted or processed on publicly accessible information systems.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information).  This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication.  Individuals authorized to post CUI onto publicly accessible systems are designated.  The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

CMMC CLARIFICATION

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public.  It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website.  Limit and control information that is posted on your company’s website(s) that can be accessed by the public.

Example

You are head of marketing for your company and want to become better known by your customers.  So, you decide to start issuing press releases about your company projects.  Your company gets FCI from doing work for the Federal government.  FCI is information that is not shared publicly.  Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public.  You allow only certain employees to post to the website.

REFERENCES

  • FAR Clause 52.204-21 b.1.iv
  • NIST SP 800-171 Rev 1 3.1.22
  • NIST SP 800-53 Rev 4 AC-22