CMMC A to Z: The Importance of Access Control, Asset Management, Auditing, and Awareness

If you kept up with last week’s blog post, you’ll know that The Department of Defense’s CMMC consists of 17 total capability domains. With so many domains, it can be hard to keep up with why each and everyone is truly important not only for supply-chain security but for the complete security of your entity regardless of federal contracting. Over the next few weeks, while I work with ComCode and the MCSP to explore this new certification process, I will be breaking down all 17 capability domains as defined by the CMMCAB. Keep in mind that these are general overviews of these best practices, but it’s important to understand why the Department of Defense cares about them in the first place to truly take advantage of this new framework.

AC -Access Control

Access Control is a domain that focuses on limited access to information and information systems, thus mitigating the risk of secure information being accessed by unauthorized individuals. Unauthorized access can lead to terrible data breaches, which is why access controls are often erring on the side of caution and overly restrictive. According to Ted Wagner, CISO at SAP National Security Service, “Whether it be the inadvertent exposure of sensitive data improperly secured…access controls are a key component. When not properly implemented or maintained, the result can be catastrophic.” Here are a few key things to think about when implementing access controls:

  1. Who determines access? Information Asset Owners? IT? Security?
  2. Who ensures control implementation? Helpdesk? Information Security?
  3. How will access be documented? Asset Registry? Active Directory?
  4. How will we audit these controls?

AM – Asset Management

Information Technology assets are the backbone of any organization, especially in the modern age where technology is lurking around every corner. It is extremely important to maintain and develop standards that allow your organization to properly manage all IT assets, especially in terms of risk, cost, and compliance. On the surface, AM seems like nothing more than a basic inventory system, but it is so much more involved than that. It’s important to keep track of obsolete and End Of Life (EOL) technology in your organization. EOL assets are one of the easiest ways for outside threat actors to gain access to your network. Compliance is another huge part of AM, ensuring that the technology you bring into your organization falls in line with any regulatory requirements you are currently subscribed to.

AU – Auditing & Accountability

Auditing & Accountability is defined as a chronological record that examines the sequence of activities surrounding everyday organizational operations and procedures, specifically in reference to security-relevant transactions. The key to this is ensuring that every specific action taken on a system in-scope is audited and logged. When it comes to CMMC certification, it is very likely that these logs will be requested and if one cannot provide them, that’s a huge problem. Auditing is one of the reactive tools in security as opposed to AM, AC, and AT which are proactive domains.

AT – Awareness Training

Training within an organization helps to ensure that employees are aware of the security risks associated with their daily activities. This goes into every single onboarding process, not just for those involved directly in IT. Finance, Human Resources, C-Suite, Marketing, Legal, and every single other department within the organization will, at one point or another, become a target of some sort of attack, typically a form of social engineering. Making your staff aware of these potential attacks, how to avoid them, and what to do should an incident occur is key for compliance in many frameworks, but especially within the CMMC.

Next week we will discuss Configuration Management, Identification, Incident Response, Maintenance, and Media Protection. For more information on these domains, feel free to look over the official CMMC Framework published earlier this year.

Follow us for more updates on this project!

For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written By: Austin Grupposo’23 // Digital Forensics & Cybersecurity

More Partners
The End: DFIR
DFIR: Rise of the Next Step
Winding Down: CMMC Setbacks, MCSP Experience, and the Future