CMMC NUGGET #16

Securing the Network & Monitoring

The CMMC 2.0 framework mandates that organizations safeguard their networks against unauthorized access, data breaches, and other security threats. The controls cover a wide array of network security controls and monitoring requirements. A detailed explanation of each control and a couple that are particularly difficult to implement or are often overlooked are listed below.

• AC.L2-3.1.12 – Monitor and control remote access sessions.
  Organizations must monitor and control remote access sessions to ensure that only authorized users are accessing the system remotely. This involves using monitoring tools to track remote access attempts and maintaining logs of these sessions. Access control mechanisms should be implemented to ensure that remote users can only access resources they are authorized to use.
• AC.L2-3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
  To protect the confidentiality of data transmitted during remote access sessions, organizations must employ cryptographic mechanisms such as VPNs, SSL/TLS, or other protocols. This ensures that sensitive information is not exposed to unauthorized parties during transmission.
• AC.L2-3.1.14 – Route remote access via managed access control points.
  Remote access should be routed through managed access control points, such as VPN gateways or secure remote access servers. This will ensure that all remote connections are authenticated and authorized before granting access to the internal network.
• AC.L2-3.1.16 – Authorize wireless access prior to allowing such connections.
  Organizations must have a process in place to authorize wireless access before allowing devices to connect to the network. This typically involves validating the identity of the user and the device, and ensuring that the connection complies with organizational security policies.
• AC.L2-3.1.17 – Protect wireless access using authentication and encryption.
  To prevent unauthorized access and ensure confidentiality of data transmitted over wireless networks, access must be protected using strong authentication methods and encryption protocols.
• AC.L2-3.1.18 – Control connection of mobile devices.
  Organizations must control the connection of mobile devices to the network. They have to have policies and procedures governing which devices are allowed to connect, how they are authenticated, and what access they are granted. This helps prevent unauthorized devices from accessing sensitive information.
• AC.L2-3.1.19 – Encrypt CUI on mobile devices and mobile computing platforms.
  Controlled Unclassified Information (CUI) stored on mobile devices and mobile computing platforms must be encrypted to protect it from unauthorized access. This includes laptops, tablets, smartphones, and other portable devices that may store or process CUI.
• IA.L2-3.5.3 – Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non-privileged accounts.
  Organizations must implement multifactor authentication (MFA) for accessing privileged accounts, as well as for network access to non-privileged accounts. This adds an extra layer of security by requiring users to provide additional verification beyond just a password.
• MA.L2-3.7.5 – Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
  MFA should be required to establish nonlocal maintenance sessions via external network connections to ensure that only authorized personnel can perform maintenance tasks. These sessions should be terminated immediately once the maintenance activities are complete to minimize the risk of unauthorized access.
• MP.L2-3.8.6 – Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
  CUI stored on digital media (e.g., USB drives, CDs, DVDs) must be encrypted during transport to protect its confidentiality. If physical safeguards are in place (e.g., locked containers, secure courier services), they can serve as an alternative protection measure.
• SC.L2-3.13.11 – Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
  Organizations must use cryptographic mechanisms that are validated against Federal Information Processing Standards (FIPS) to protect the confidentiality of CUI. FIPS validation ensures that the cryptographic algorithms meet specific security standards and have been rigorously tested.
• SC.L2-3.13.15 – Protect the authenticity of communications sessions.
  To ensure the authenticity of communication sessions, organizations should implement measures such as digital signatures, mutual authentication, and integrity checks. This can be used to verify that the communication has not been tampered with and that the parties are who they claim to be.
• SC.L2-3.13.7 – Prevent remote devices from split tunneling.
  Split Tunnelling is when devices simultaneously establish non-remote connections with organizational systems and communicate via some other connection to resources in external networks. Organizations must prevent remote devices from using split tunneling. This is to prevent potential security risks, such as data leakage or unauthorized access to the organization’s internal network from external networks.

• Complexity and Cost: Implementing comprehensive monitoring and control of remote access can be complex and expensive, requiring advanced tools and continuous management.
• Resource Intensive: Monitoring remote access sessions requires significant resources in terms of both technology and personnel.

Recommendations for proper implementation:

• Use Automated Tools: Implement automated tools that can monitor and log remote access sessions, providing real-time alerts for any suspicious activities.
• Regular Audits: Conduct regular audits of remote access logs to identify any unauthorized access attempts or unusual activity patterns.
• Training and Awareness: Train employees on the importance of secure remote access and the organization’s monitoring policies.

• Device Diversity: The wide variety of mobile devices and platforms can make it difficult to implement a consistent encryption strategy.
• User Compliance: Ensuring that all users consistently encrypt CUI on their mobile devices can be challenging, particularly when using personal devices for work.

Recommendations for proper implementation:

• Standardized Solutions: Deploy standardized encryption solutions across all mobile devices used within the organization to ensure consistency.
• Mobile Device Management (MDM): Use an MDM solution to enforce encryption policies and manage mobile devices remotely.
• User Training: Provide training to users on how to properly encrypt CUI on their devices and the importance of following these protocols.

1. Develop Clear Policies and Procedures: Establish comprehensive policies and procedures for each control, ensuring they are clearly documented and communicated to all employees.
2. Implement Advanced Security Tools: Utilize advanced security tools such as firewalls, intrusion detection systems, and encryption software to enforce the controls.
3. Regular Training and Awareness Programs: Training programs ensure employees understand the importance of the controls and how to comply with them.
4. Continuous Monitoring and Auditing: monitoring and regular auditing processes ensure that controls are being followed and identify any potential security gaps.
5. Leverage Third-Party Expertise: Consider engaging third-party security experts to assist with the implementation and ongoing management of the controls.