What is CMMC Access Control and How Does IAM Help You Stay Compliant?

User access is one of the most basic, and yet most necessary, security controls available. With the complex ways in which we combine on-prem and cloud services for customers, it’s obvious how something like identity and Authentication Management (IAM) can turn from a simple proposition to a complicated process that can leave you vulnerable or out of compliance.

In this article, we’re covering how IAM, and specifically Access Control, plays a role in the new CMMC framework. We’ll discuss:

• How CMMC defines concepts like defense capabilities, specifically around Identification and Access Control.
• How security practices embedded in Access Control are broken into broader domains.
• How Access Control practices fit into the CMMC Maturity Level hierarchy and enable handling CUI.
• The relationship between practices, capabilities and Maturity Level 3.
• How SecureStrux can help you with CMMC and IAM engineering.

CMMC and Access Control

The Cybersecurity Maturity Model Certification (CMMC) framework covers multiple areas regarding cybersecurity, risk management and information governance. This framework is comprised of several components that make up the different security aspects that an organization must meet to handle different, increasingly sensitive forms of data.

Fundamental to this system of classification is the “domain." In CMMC, domains describe different, broad areas of security and functionality that a company could be expected to adhere to give their level. Domains include such security factors as Identification and Authentication (IA), Access Control (AC) and Incident Response (IR).

The first two listed here (Access Control and Identification and Authentication) cover similar, but different, domains related to controlling system access. The IA domain includes the creation and maintenance of digital identities and the tools used to authenticate users against those ideas. In this domain, you’ll find capabilities covering practices like general authentication infrastructure, biometric passwords and Multi-Factor Authentication (MFA).

The Access Control domain takes that one step further by emphasizing physical and technical controls that ensure that users who are not authorized to access resources do not have such capabilities. Some of the more technical requirements often found under Access Control are:

• Role-Based Access Control, or the practice of restricting resource access based on organization-wide roles as designations for authorizations.
• Identity and Access Management, or the approach of managing digital identities and aspects against several levels of access controls, including roles, biometrics and other solutions.
• Zero-Trust Security Principles, or the approach of requiring authorization and identification from every new user, IP address, or device that ever connects to the system with no exceptions.
• Privileged Access Management Solutions, or the control of privileged identities in your system to minimize attack surfaces through elevated user accounts.

In both cases, the IA and AC domains serve as the boundary between users and system assets. Not only do they protect your IT system as a whole, but they also provide the tools you need to designate roles for information access settings, create system-wide authentication and authorization policies and protect physical locations like workstations and server rooms.

What are the Access Control Domain Capabilities?

Every domain has a collection of “capabilities” included that speak to different aspects of that domain. Under Access Control, you’ll find 4 capabilities:

1. C001: Establish System Access Requirements. This capability includes all controls and practices used to help determine who has access to systems, what sort of rules or policies determine that access and in what ways they can get access. This can include technical approaches (authentication, remote access) and physical approaches (access to protected laptops, servers and data centers).
2. C002: Control Internal System Access. Includes PAM and least privilege principles. Ensures that all internal user access (including employees, contractors, executives, etc.), especially elevated controls for high-level access, are controlled through proper policy and limited to the least amount of privilege needed for that user’s work.
3. C003: Control Remote System Access. Applies to access control for remote work, which is incredibly relevant in a post-pandemic world. Can also include other access controls that aid in securing remote work.
4. C004: Limit Data Access to Authorized Users and Processes. Can include protecting data against disclosure, particularly due to accidental exposure from sharing data over internal processes or systems.

How Do CMMC Practices Apply to Maturity Levels?

At the core of CMMC compliance is the practice of handling and securing Controlled Unclassified Information (CUI), or information that isn’t classified but that contains sensitive data relevant to the operation of the agency and its contractors. CMMC, therefore, breaks down compliance into 5 maturity levels, numbered 1-5.

While it isn’t relevant to cover every level here in detail, what’s important is that only contractors at CMMC Maturity Level 3 or higher may handle and store CUI. The easy way to think about it is that these requirements compound on one another, so while there are Level 3 requirements, Level 3 also requires all practices from Levels 1 and 2.

At CMMC Maturity Level 3, an organization will be expected to be able to perform the following practices:

1. Limit IT system access to authorized users, provide privacy and security notices, and limit the use of portable devices on systems (C001).
2. Limit system access by user role and type, employ the principle of least privilege, use non-privileged access for non-security functions, limit login attempts, separate user duties and roles, prevent non-privileged access to privileged assets, protect and encrypt wireless networks and mobile devices, and lock sessions after inactivity (C002).  
3. Monitor remote access sessions, route remote access to authorized points, authorize select wireless connections, control mobile access, use cryptography for remote access, authorize remote privileged access for privileged resources (C003).
4. Verify and limit external sessions, control public information access, control CUI flow across different systems, and encrypt CUI on computers and mobile devices (C004).

CMMC Compliance Support with SecureStrux

You may not face CMMC certification yet, but sooner rather than later all contractors in the Defense Industrial Base supply chain will need to comply with the framework. This means integrating required security controls, especially those around IAM if you want to handle CUI for clients.

SecureStrux is a CMMC consultant currently undergoing the process of certification to become an authorized C3PAO. These capabilities, alongside our team of expert security engineers and compliance strategists, help us provide our clients with a unique blend of fully-featured Managed Security Services and compliance auditing and ongoing monitoring. And these services include extensive audits and engineering for IAM and access control infrastructure.

If you are preparing for CMMC or RMF compliance and want a long-term partner that can help you contribute your unique IT services to the defense of our country, then contact an account representative to learn how we can support that mission.