This blog is the sixth in a 15th-part blog series where we'll discuss each domain in Cybersecurity Maturity Model Certification (CMMC). This blog explores the CMMC domain System and Communications Protection (SC).
The System and Communications Protection domain discusses the protection of both your systems and their communications into focus. It includes the monitoring, controlling, and protecting of organizational communications and the specifics behind individual components that make up the domain.
We will be exploring System and Communications Protection in the following manner:
In the System and Communications Protection domain, the focus will be on
Your organization must ensure that your system is protected and focus on how communications are protected, both externally and internally.
For CMMC 2.0, there are two practices in CMMC Level 1 outlined for System and Communications Protection and fourteen for Level 2.
For CMMC Level 3, the SC practices are yet to be determined. Now, we will dive into important topics that are covered in the SC domain:
The boundary Protection/Separation ensures that any communication within your organization must be monitored, controlled, and protected, especially at system boundaries. Communication can be defined as information transmitted or received by any of your information systems.
The type of boundary can be external or internal, and both need to be considered. Boundary components include gateways, firewalls, routers, encrypted tunnels, etc.
Restricting information that seems suspicious or malicious by directing communication to designated web servers is a start. Prohibiting external traffic that appears to be spoofing internal addresses is a way to heighten protection. These are both suggestions, and how your organization implements them is something that can be determined.
For boundary protection, there should also be clear separation, and subnetworks should be implemented for systems that are publicly accessible. Any subnetwork implemented should be physically or logically separated from any internal network, and these are commonly referenced as Demilitarized Zones (DMZs). Demilitarized Zones can be implemented using boundary control devices, and your organization must meet this requirement.
Security will be a repeated topic that is brought up within each domain. For example, system or communication protection cannot be properly implemented without efficient security in your organization. You must employ architectural designs, software development techniques, and even systems engineering principles to meet security requirements defined in these domains.
Your organization should apply systems engineering principles to any newly developed system or system undergoing a major change/upgrade. For any legacy system within your organization, you should apply these principles, but only to the extent that it is feasible.
Any of these principles are important throughout your organization, so training on the principles within them is also important for your employees, especially IT Staff. Developing and implementing these principles allows your organization to foster secure systems and system components.
Role separation will be important to make the process of system protection transparent and easy to understand. Role separation is related to the user (user functionality) and the system (system management functionality). Both should be separated from each other.
System management functionality can include functions that allow you to administer databases, manage network components, modify workstations or servers, and usually require privileged access. The separation can be physical and logical, and the method is up to your organization.
It is common for an organization to store and manage activity in shared spaces. This requirement discusses the control of information that is in shared system resources.
Your organization mustn't allow new users to access information produced by the actions of prior users, especially if their role does not need that information. It also applies to any encrypted representations of information and any related component.
It is easier to understand that current users should not access information created or modified by previous users, especially if the information was procured for a specific purpose.
This requirement relates specifically to network communications, both inbound and outbound. Your organization should adopt a deny-all, permit-by-exception policy regarding network communications traffic.
To explain, this means that all communication should be denied/blocked by default, and specific traffic should be permitted only based on organizational policies, exceptions, or criteria.
This will allow only authorized communication to come through and prevents any potential unauthorized connection or access. This can be further developed by preventing split-tunneling, where remote devices establish non-remote connections with organizational systems.
It is important to prevent this, as it can allow unauthorized external connections to access organizational information. Your organization should detect any split-tunneling events and automatically prevent them.
While we have discussed protecting information and the boundary, what about data in transit or at rest?
Your organization must implement cryptographic mechanisms to prevent unauthorized access or disclosure of CUI during data transmission. As before, this requirement will apply to internal and external networks and any system components that can transmit information (servers, computers, printers, etc.).
The communication paths used outside of any physical boundary are susceptible to interception, which also puts data at risk of being modified to become malicious. Your organization must be vigilant in ensuring the prevention of such risks.
Similarly, data at rest is information not being processed or in transit. This information should also be protected, especially CUI, that might be at rest. Again, your organization can choose how to protect this information and its confidentiality, but some recommendations include using cryptographic mechanisms/file share scanning.
The 'Connection Terminations' requirement focuses specifically on internal and external network connections.
Terminating any connections associated with communications sessions, especially at the end of the session or after a defined period of inactivity, is vital. If a connection is not being used or finished, end it.
This prevents malicious entities from taking advantage of an open network session and using it to gain access to the system and will keep communication efforts safe and protected.
Cryptographic mechanisms have been repeatedly discussed in SC domain. The management of cryptographic mechanisms is another part of this discussion, and managing cryptographic keys for any cryptography implemented within your organizational systems will also need to be done.
This can be done using manual procedures/mechanisms, allowing your organization to protect the confidentiality and authenticity of cryptographically managed information.
In addition, the key management practice will allow your organization to ensure that cryptographic keys are properly created and managed securely so the keys may not be stolen, misused, or copied.
Whenever CUI is handled or transmitted, it should be cryptographically protected. Your organization should implement FIPS-validated or NSA-approved cryptography when maintaining the protection or confidentiality of CUI.
FIPS-validated cryptography means the module that maintains the cryptography has been tested and validated using FIPS 140-1 or 140-2 requirements. It is often required within CMMC, and it is good practice to begin using it for CUI. It is recommended for information that is not CUI but is not required.
For the Collaborative Device Control requirement, you must focus on prohibiting the remote activation of collaborative computing devices.
These can include whiteboards, cameras, or microphones. A way to indicate use can be to send signals to users when these devices are activated, such as a light or a window that appears on their screen.
Suppose there is no way for the device to notify the user. In that case, you must implement a manual mechanism to do so, as this will prevent unauthorized access to the system and notify you if any access has not been authorized.
Mobile code is common within an organization, but the management and protection of mobile code may be different from typical systems. The Mobile Code focuses on controlling and monitoring your organization's use of mobile code.
Implementing mobile code policies and procedures that dictate its use will be the first step; further, requiring mobile code to be digitally signed by a trusted source will advance the protection of your systems.
As aforementioned, communication sessions need to be maintained and terminated at the end of the session. Another requirement within this domain is to maintain and protect the authenticity of sessions that are in progress.
This Communication Authenticity practice aims to implement a trusted relationship between both sides of a communication session. Each side should be assured that the person or device on the other end is who it is expected to be. This can be done by implementing a mutual authentication "handshake" when sessions are established, specifically between the devices used.
Your organization should also establish a security protocol that focuses on session authenticity, especially during a communication session.
This domain has covered many important topics, ranging from boundary protection to communicating authenticity. This domain has a lot of detailed requirements and discusses a wide range of topics, and your organization must work on each component to ensure the requirements are being met properly.
For CMMC Level 1, your organization must perform a self-assessment for the practices outlined and required within System and Communications Protection. For CMMC Level 2, your organization will have to look further into the practices required and provide proper implementation and documentation. Here is some guidance on what to include or look for within your organization:
System and Communications Protection is an important CMMC domain. At InterSec, we help DIB with CMMC advisory and consulting services. Don't hesitate to get in touch with us to learn more.