Asset Categorization and CMMC
Many Certified CMMC Professional (CCP)will find the Configuration Management domain one of the trickiest for organization seeking certification to implement. Yet you have to ensure all employess have secure equipment from the starting line. By spelling out clear rules of the road through policieis and procedures you can ensure all clients
The 11 practices, six from level 2, three from level 3 and one level five requirement focus on how an organization deploys, sets up and manages systems, devices, software, networks and hardware. Specifically on an organizations ability have a configuration baseline and practices to audit this configuration and introduce changes.
Why Configuration Management
A CCP will want to work with clients to develop configuration management policies and procedures to mitigate security risks. You cannot eliminate vulnerabilities and reduce the costs of systems maintenance without a good configuration management. Every device you give an employee, every network router, and every switch needs to follow specific set up in a consistent manner. A Certified CMMC Professional will needs to work with a client to manage all changes. This will require organizations seeking certification to develop defined change control process.
Imagine if you allowed employees to simply go online and order a laptop. How would you know what Operating Systems get used? Will you know if they update the computer? Which anti-virus software comes installed?
Configuration management limits these issues. A company must have standard baseline image, not just for devices but for all the endpoints. Your configuration management and change logs need to track the software version, any hardware or software installed, ports that get open or blocked, and protocols for vulnerability scanner that the user does not control.
Configuration Management takes deep technical knowledge. A CCP will need to work with software documentation, vulnerability scanning software, STIGS, Reference architecture from an external service provider, or often a checklists of steps to follow
In fact, talented CCPs will see configuration more as a life cycle approach rather than a simple security management checklists. This lifecycle moves a system from the concept of operations through the vulnerability scanning, change management, operations, and decommissioning. As a system matures the people in a company will come and go. New technologies will emerge. A CCP can help clients address these programs by ensuring they have a consistent change management policy through the lifecycle of the system that boils down to system hardening, change management, and change management processes.
You cannot accept the defaults. Rarely will products come out of the box with secured to a a NIST-SP-800-171 baseline. A CCP will work with clients to ensure service packs get updated, unnecessary features get deactivated, account provisioning stays in compliance, and all firewalls and automatic updates get set up. If an organization seeking certification inherits many of these practices from an external service provider such as an MSP or IT form the CCP will need to review the shared responsibility matrix.
The configuration management lifecycle requires a focus on change management. You must ensure systems remain stable and employees cannot make changes without privileged access. As a CCP make sure clients include change management in their configuration policies. An Organization Seeking Certification must have a formal review proposed for all changes. This should include regularly scheduled reviews and an emergency process for installing critical patches. Only these proposed changed should get made. Finally, a CCO should ensure a client as procedures in place to re-assess their baseline setting and ti evaluate if it should change.
In order for these first two elements of configuration management lifecycle to occur a CCP will need to assist companies in tracking the process through change logs. This includes having a change request process, evaluating the risk of change, an approval process, testing the change, evaluating if employees need new training, implementing a baseline, validating the baseline, and then finally documenting the change.
Many of the changes to a system happen through software updates and patches released by a vendor. Therefore, change management processes must address how a company handles patch management. A CCP should work with organizations seeking certification to ensure the configuration management policy addresses patching.
Configuration Management provides recognized, standardized, and established benchmarks that spell out the procedures a company must follow to secure their systems and metrics.
Practices of the Configuration Management Domain
The following security requirements fall under the Configuration Management family:
3.4.1 Establish and maintain baseline configurations and inventories of organization information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
A company must have a baseline approved by management to meet the assessment objectives under this practice. A CCP will have to work with their clients to ensure the baseline configurations get developed, documented, and maintained for each syetsm. This means identifying all the systems that handle FCI or CUI, monitoring these endpoints, and developing these endpoints so the baseline configuration before meets 171 compliance before user access.
This requires a system development life cycle spelled out in your configuration management plan. You must provide the foundation for the successful development, implementation, and operation of company information systems.
A Certified CMMC Professional has an ethical obligation to include staff on the team, or let who possess security expertise and skills to ensure that needed security capabilities are effectively integrated into configuration management utilizing best practices in reference architecture. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the company’s business processes. This process also enables the integration of the information security architecture into the enterprise architecture, consistent with company risk management and information security strategies.
The configuration management domain lives and dies based on good document-based artifacts. As a Certified CMMC Professional working with clients to integrate a lifecycle approach you may have to assist clients in developing or curating specifications such as:
- configuration management policy
- procedures addressing the baseline configuration of the information system
- procedures addressing configuration settings for the information system
- configuration management plan
- security plan
- enterprise architecture documentation
- security configuration checklists
- evidence supporting approved deviations from established configuration settings
- change control records
- information system audit records
- information system design documentation
- information system architecture and configuration documentation
- information system configuration settings and associated documentation
- change control records
- other relevant documents or records
The technical members of a Certified CMMC Professional’s team will need to work closely with employees who have configuration management responsibilities, security configuration management responsibilities, and network adminsitrators. Again for many Organizations seeking certification this maybe an IT company or Managed Service Provider with these roles. In this case you must also ensure the shared responsibility matrix or teaming agreements handle baseline configuration, change processes, audit logs, and patching procedures.
A CMMC assessor will want to see these employees or service providers conduct the following tests:
- processes for managing baseline configurations
- automated mechanisms supporting configuration control of the baseline configuration
- processes for managing configuration settings
- automated mechanisms that implement, monitor, and/or control information system configuration settings
- automated mechanisms that identify and/ or document deviations from established configuration settings
3.4.2 Establish and enforce security configuration settings for information technology products employed in organization information systems.
This practice requires companies to bake security into their configuration management plan. A CCP must work with their clients to ensure assets only have features and capabilities that allow them to do their job. A good configuration management policy reflects the most restrictive settings that still allow a business to operate. Like any element of configuration management changes to security tools must get approved, tested, and documented.
Once again a CCP will need to ensure a company has strong document based artifacts to meet the assessment objectives of this practice. These specifications can include:
- configuration management policy
- procedures addressing the baseline configuration of the information system
- procedures addressing configuration settings for the information system
- configuration management plan
- enterprise architecture documentation
- information system design documentation
- information system architecture and configuration documentation
- security configuration checklists
- evidence supporting approved deviations from established configuration settings
- system audit records
- change control records
- other relevant documents or records
A CMMC Assessor will want to see interview the same people and observe many similar tests for this practices as well as other practices in this domain.
3.4.3 Track, review, approve/disapprove, and audit changes to information systems.
To ensure a company meets this practice a Certified CMMC Professional should first identify the IT leadership employees who act as a review board. All changes must get approved an d logged to have enough evidence for the assessment objectives. By building in a set time for the review board to meet you can help clients meet the requirements. You also need to make sure these changes get documents in IT asset management policies.
Numerous changes must get documented. These include modifications to hardware, software, or firmware components and configuration settings. The change process cannot interfere with information system operations. Thus testing needs to reflect company security policies and procedures. They get by information system security policies and procedures default features. Overall a company want to protect the specific health, safety, and environmental risks. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). Changes to information systems should be reviewed and approved by company management prior to implementation. Beyond the evidence collected for the other practices in this domain a CCP may also want to consider:
- change control records
- information system audit records change control audit and review reports
- agenda /minutes from configuration change control oversight meetings
- other relevant documents or records
Beyond the other individuals interviewed to gather evidence a CCP will want to speak with or help to establish a change review board. A CMMC assessor will want to observe tests on processes for configuration change control and automated mechanisms that implement configuration change control.
3.4.4 Analyze the security impact of changes prior to implementation.
You cannot simply introduce new software and changes to a company’s IT system and information security responsibilities such Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers. Once again for many organizations seeking certification this will involve including external service providers that do IT and security. No one department or person could track the endpoints and software across an entire organization.
When a change gets proposed a process or control board must evaluate the security impact. The review process must have clear testing procedures. Many manufacturers will have a change control board or process as part of their Quality Management System for other certifications such as ISO 9001. A CCP should work with a client, who may not have dedicated IT staff, to meet these requirements using already existing processes. Tracking IT changes using the same process will save companies money and increase security.
A CMMC assessor will want to ensure the effectiveness of theses tests. They must consider if the changes impact compliance with other 171 requirements. All configuration changes should then get tested, validated, and documented on a subset of devices or a staging environment before installing them on the operational system.
This again falls to the importance of the change review board and the importance of clear policy and repeatable procedures with a plan to monitor, meet, and document testing and changes.
3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
Zero trust means little once a malicious or unintentional internal threat has access to your servers and networks. You will need to track and log physical access to key physical areas where changes to the system can get introduced. This will often involve a key card and audit logs. As a CCP work with organizations seeking certification to ensure these areas get clearly marked and penalties for unauthorized access get spelled out in an employee handbook.
For logical access you must consider the implications and how to track who can make security changes to a client’s boundaries. Modern identity management software can require approval, set time bound windows, send notifications to the control board, have role based access and many more features to monitor changes to logical boundaries.
For both physical and logical restrictions always ensure to keep the practices of least privilege in mind.
Beyond the other document-based artifacts already collected for this Domain a CCP must also consider: * logical access approvals * physical access approvals * access credentials * change control records * information system audit records * other relevant documents or records
A CMMC assessor will want to interview employees with logical and physical access. They will need access to employees with information security responsibilities and network administrators.
The assessor will want to see these employees perform automated mechanisms supporting/ implementing/enforcing access restrictions associated with changes to the information system
3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
An employee of a client will not need minesweeper and every Instagram photo filter on their computer in order to do their job. Simply put an Organization Seeking Certification must configure technology so employees only have functions need to keep the system and business operational. A CCP will need to work with a client to identify and remove/disable applications, ports, protocols, services and settings on your systems. This often means imaging machines to remove or add on to default settings.
If a client a CCP works with does not use VOIP than disable the ports VOIP uses.
A CCP will utilize a variety of evidence for document-based artifacts. They should note an inventory of ports gets included in the System Security Plan. ACCMC assessor will want to observe a test on the processes prohibiting or restricting functions, ports, protocols, and/or services
3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
This practice relates closely to 3.4.6, and like many relies on strong IT Asset Management. A company, however, must explicitly define how they limit ports and protocols necessary to provide the service needed for continuation and security. You may disable FTP, for example, or remove applications from a device before access Once again this inventory of ports and programs must get included in the SSP.
In fact companies should consider disabling unused or unnecessary physical and logical ports/ protocols such as Universal Serial Bus (USB), File Transfer Protocol (FTP), and Hyper Text Transfer Protocol (HTTP on information systems to prevent unauthorized connectios As a CCP you may have to help an organization seeking certification evaluate companies that can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections. Firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services can also help mitigate much risk. As a CCP help clients gather evidence from typical document-based artifacts that include.
- configuration management policy
- procedures addressing least functionality in the information system
- configuration management plan
- security plan
- nformation system design documentation
- information system configuration settings and associated documentation
- specifications for preventing software program execution
- security configuration checklists
- documented reviews of functions, ports, protocols, and/or services
- change control records
- information system audit records
- other relevant documents or records
A Certified CMMC Professional will need to work with employees with responsibilities for reviewing functions, ports, protocols, and services on the information system and network administrators. Together make sure observable test can get performed on:
- processes for reviewing/disabling non-secure functions, ports, protocols, and/or services
- automated mechanisms implementing review and disabling of non-secure functions, ports, protocols, and/or services
- processes preventing program execution on the information system
- processes for software program usage and restrictions
- automated mechanisms preventing program execution on the information system
- automated mechanisms supporting and/or implementing software program usage and restrictions
3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting policy to allow the execution of authorized software.
This practice builds on top 3.4.7 but requires companies to maintain a list of approved software and a list of software denied to all or requiring an exception. In fact many organizations go beyond the minum of this control and organizations verifying the integrity of approve-listed software programs usingcryptographic checksums, digital signatures, or hash functions. These certificates help to verify versions and secure updates.
Between maintaining an approved list and a not-authorized list, the denial list provides stronger protection. Policies alos get deployed to prevent certain types of software from being run on the company’s systems such as games. A CCP will need to ensure a client checks these policies s by periodic audit.
Beyond the usual document based artifacts of this domain a CCP will want to help an organization seeking certification organize evidence from:
- information system configuration settings and associated documentation
- list of software programs not authorized to execute on the information system
- list of software programs authorized to execute on the information system
- security configuration checklists
- review and update records associated with list of unauthorized software programs
- review and update records associated with list of authorized software programs
- change control records
Employees with information security responsibilities and network administrators will need to know how to demonstrate tests on
- process for identifying, reviewing, and updating programs not authorized to execute on the information system
- process for identifying, reviewing, and updating programs authorized to execute on the information system
- process for implementing blacklisting automated mechanisms supporting and/or implementing blacklisting
- process for implementing whitelisting automated mechanisms supporting and/or implementing whitelisting
3.4.9 Control and monitor user-installed software.
As a Certified CMMC professional just make sure companies disable user installed software on in scope systems. Remember users should not have privileged or admin access on machines that connect to your network and all privileged users always require MFA authentication. This will allow a company to control unapproved software.
Policies must fully describe allowed installations and procedures to check that for policy violations. These polices may want to have very stringent exceptions for installing software, especially on the devices of privileged users.
A CMMC Assessor will not only want to review these policies and procedures but they will want to see employees perform tests on processes governing user-installed software on the information system an automated mechanisms for alerting personnel/roles when unauthorized installation of software gets detected.
If a company takes the time to put down a clear pathway for configuration management we can help to protect the confidentiality of information. Just remember while we need to get to the finish line one should approach it more as conditioning. Once you have your baseline configured get back to tthe starting line and review the deployment as you maintiain the overall cyber health of a company.
“Starting Line” by Phil Roeder flickr.com/photos/ta… is licensed under CC BY