This blog discusses strategies for monitoring the effectiveness of security requirements. Control assessments are infrequent, often occurring only once per year. Continuous monitoring activities can provide better awareness of threats, vulnerabilities, and control effectiveness.

NIST SP 800-137 defines the information security continuous monitoring (ISCM) process:

1. Define an ISCM program

2. Establish an ISCM program

3. Implement an ISCM program

4. Analyze data and Report findings

5. Respond to findings; and

6. Review and Update the ISCM strategy

The purpose of this post is to define an ISCM for CMMC Level 1 security requirements. The proposed ISCM consists of the following tasks:

• Maintain a List of Authorized Accounts

• System Access Briefings

• Review of Account Access

• Review of Account Types

• Update System Component Inventory

• Update Network Diagram

• Review Websites

• Maintain Authorized Personnel Access List

• Review Physical Access Logs

• Check for New Vulnerabilities

• Vulnerability Reporting

• System Patching

• Review Maintenance Log

Adoption of these tasks does not constitute implementation of CMMC Level 1. Rather, these strategies supplement configurations of hardware and software. A continuous monitoring responsibility matrix identifies the assessment objectives met by these activities.

This task focuses on maintaining account authorizations for persons and non-person entities (NPEs).

ICS 500-30 defines several types of non-person entities, including:

• servers 

• services

• processes

• applications

• end-point devices

• network devices

ICS 500-30 also identifies attributes relevant to authorized accounts, including:

• Unique digital identifier

• Entity type

• Life cycle status (for NPEs)

• Role

This task requires an authorization for each account. Authorization should come from the CIO/CISO or their delegate. AC-2 within NIST SP 800-53 states that authorization should occur before granting access.

Once developed, the following tasks help maintain the authorized account list:

• System Access Briefings

• Review of Account Access

• Review of Account Types

Maintaining an authorized account list helps meet the following CMMC Level 1 objectives:

• AC.L1-b.1.i(a) identifying authorized users

• AC.L1-b.1.i(b) identifying processes acting on behalf of authorized users

• procedures addressing account management

• list of active system accounts and the names of the associated individuals

• access authorization records

Account Management

• Requests to establish new accounts require appropriate authorization

Briefing users on their responsibilities helps ensure appropriate access and privileges. The DCSA Assessment and Authorization Process Manual Version 2.2 recommends covering:

• Safeguarding information & systems

• Protecting & acceptable media use

• Authorized data and system use

• Reporting security incidents

• Challenging unauthorized personnel

• Access aligns with approvals

• Security and awareness training

• Sign all logs, forms and receipts

• MACD procedures

• Copyright laws 

• Licensing agreements

• Data transfer procedures

• Social Media policy

• Password requirements

Brief users before granting access to the system and once a year thereafter. Documenting briefings establishes evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.i(a) identifying authorized users

• AC.L1-b.1.i(d) limiting system access to authorized users

• AC.L1-b.1.ii (a) defining the permitted types of transactions and functions 

• account management compliance reviews

Account Management

• IT reviews and monitors authorized accounts

Access Enforcement

• Job requirements form the basis of authorizations granting access to systems and data. 

Reviewing account access is best performed at the application layer. The application manager should know the access requirements for all users.

NIST SP 800-12 provides some guidance on what to examine during these reviews:

• Levels of access for each account

• Conformity with the concept of least privilege

• Whether all accounts are still active

• Whether management authorizations are up-to-date

• Completion of required training

Reviews should occur every month. The review should include signing an access approval list that documents the approvals.

Documenting reviews establishes evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.i(a) identifying authorized users

• AC.L1-b.1.i(b) identifying processes acting on behalf of authorized users

• AC.L1-b.1.i(d) limiting system access to authorized users

• AC.L1-b.1.i(e) limiting system access to processes acting on behalf of authorized users

• List of active system accounts and the names of the associated individuals

• Notifications or records of recently transferred, separated, or terminated employees

• List of recently disabled system accounts along with the names of associated individuals 

• Access authorization records

• System audit logs and records

Account Management

• IT revokes access for any terminated users

• IT disables accounts with 30 days of inactivity

• IT tracks and monitors role assignments for privileged user accounts 

• IT disables or removes default accounts

Organizations may define account types to define access privileges. Reviewing account types helps ensure compliance with account management requirements.

AC-2 within NIST SP 800-53 discusses some points to cover during these reviews:

• Intended system usage

• Temporary or emergency accounts are only utilized for a short period of time

• No shared, group, anonymous, or guest accounts

• Specialized training requirements for some types of system accounts

Organizations should perform this task at least quarterly. Documenting that this review establishes evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.ii (b) limiting system access to the defined types of transactions and functions

• List of conditions for group and role membership

Account Management

• IT terminates access for temporary and emergency accounts when no longer needed

Organizations should maintain system component inventories, including system-specific information, for component accountability. Unauthorized devices render the system vulnerable to exploits. An up-to-date system component inventory also enables effective system patching. Given these risks, maintaining the component inventory requires frequent monitoring or automated tools. Automated tools discover assets and catalog their hardware, software, and firmware.

NIST recommends the following metrics relevant to the component inventory:

• Software version numbers

• Hardware inventory specifications

• Software license information

• Machine names

• Network addresses (IPv4, IPv6)

• Date of receipt

• Make & Model

• Supplier information

• Component type

• Physical location

Organizations should define a frequency to refresh these metrics (hourly, daily, or weekly). The FedRAMP Moderate baseline requires updating the inventory monthly or when components change. Updating the component inventory establishes evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.i (c) identify devices (and other systems) authorized to connect to the system 

• AC.L1-b.1.i (f) limit system access to authorized devices (including other systems)

• IA.L1-b.1.v (c) identify devices accessing the system

• System monitoring records

• System audit logs and records

• List of devices and systems authorized to connect to organizational systems

Mobile Devices

• Only approved, owned, and maintained mobile devices may connect to the system

System Component Inventory

• The IT department maintains an inventory of system assets that:

• Reflects the current system

• Includes all components within the authorization boundary

• Includes granularity deemed necessary for tracking and reporting

A network diagram shows a perspective of the network, not the whole network. Network diagrams may show connections, layers of access, network routing, or data flow. Network diagrams should address and depict components reflected in the authorization boundary, and:

• Subnetting

• Location of DNS servers

Organizations should update the network diagram at least once per year. Adding or removing system components should prompt more frequent updates.

Updating the network diagram establishes evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.iii (a) identify connections to external systems

• AC.L1-b.1.iii (b) identify the use of external systems

• AC.L1-b.1.iii (e) control/limit connections to external systems

• SC.L1-b.1.x (a) define the external system boundary 

• SC.L1-b.1.x (b) define key internal system boundaries

• SC.L1-b.1.xi (a) identify publicly accessible system components

• SC.L1-b.1.xi (b) separate subnetworks for publicly accessible system components from internal networks

• system design documentation

• system configuration settings and associated documentation

• list of applications accessible from external systems

• list of key internal boundaries of the system

• boundary protection hardware and software

• enterprise security architecture documentation

Information System Connections

• Only organization-owned authorized devices may connect to the network

• Guest access is available on a separate network

Boundary Protection

• The IT department will:

• Implement a firewall at each internet connection 

• Implement a firewall between any DMZ and the internal network

• Create and maintain current network diagrams

• Restrict inbound and outbound traffic to authorized business purposes

Organizations should review content on systems accessible to the public for nonpublic information. Systems accessible to the public include company-controlled websites, public forums and social media. If discovered, organizations should remove and address improper posting of nonpublic information.

Nonpublic information includes:

• Information protected under the Privacy Act

• Federal Contract Information (FCI)

• Controlled Unclassified Information (CUI)

• Proprietary information

The FedRAMP Moderate baseline requires at least a quarterly review [NIST SP 800-53 AC-22(d)]. Reviewing publicly accessible systems creates evidence for the following CMMC Level 1 objectives:

• AC.L1-b.1.iv (d) review content on publicly accessible systems to ensure that it does not include FCI

• AC.L1-b.1.iv (e) mechanisms are in place to remove and address improper posting of FCI

• Records of publicly accessible information reviews

• Records of response to nonpublic information on public websites

Publicly Accessible Content

• The Marketing department controls information posted on systems accessible to the public by:

• Reviewing the content for nonpublic information

• Removing nonpublic information if discovered

Organizations should develop, approve, and maintain a list of personnel with authorized access. Access refers to areas within a physical space that are not accessible to the public. Organizations should issue credentials to authorized personnel. When access is no longer required, organizations should revoke access credentials.

Credentials may include:

• Identification cards

• Building passes

• Keys

• Smart cards

The FedRAMP Moderate baseline requires at least an annual review of the access list [NIST SP 800-53 PE-2(c)]. Reviewing the access list creates evidence for the following CMMC Level 1 objectives:

• PE.L1-b.1.viii (a) - identify authorized individuals allowed physical access

• PE.L1-b.1.viii (d) - limit physical access to environments to authorized individuals

• Authorized personnel access list

• Physical access list reviews

Physical Access Authorizations

• The security office:

• approves and maintains a list of personnel with authorized access to the facility

• reviews the access list and removes personnel no longer requiring access

Organizations should maintain logs of access to areas not accessible to the public. This applies to employees, individuals with physical access authorization credentials, and visitors.

Visitor access records should include the following details:

• Names and organizations

• Visitor signatures

• Forms of identification

• Dates of access

• Entry and departure times

• Purpose of visits

• Names and organizations of individuals visited

The FedRAMP Moderate baseline requires at least a monthly review of these logs [NIST SP 800-53 PE-6 (b) and PE-8 (b)]. Organizations should maintain records for at least one year [NIST SP 800-53 PE-8 (a)].

Reviewing physical access logs establish evidence for the following CMMC Level 1 objectives:

• PE.L1-b.1.ix (c) - maintain audit logs of physical access

• Physical access control logs or records

Physical Access Control

• The security office:

• Maintains and reviews physical access audit logs

Organizations may identify potential system flaws through automated and manual methods. An automated method may include running vulnerability scans on a scheduled frequency. A manual method may involve identifying how system component manufacturers communicate security updates. Advisories are sometimes issued before the availability of patches. Communication methods include mailing lists and RSS feeds.

Another manual method may include reviewing cybersecurity advisories from trusted sources:

• US-CERT - Cybersecurity Subscriptions

• Known Exploited Vulnerabilities Catalog

• Cybersecurity Advisories

• Vulnerability Bulletins

• ICS Cybersecurity Advisories

• CISA Community Bulletin

• MS-ISAC - Public Subscriptions

• Cybersecurity newsletters

• Advisories on known vulnerabilities

The frequency organizations identify flaws affects the corresponding reporting and corrective action frequencies. The FedRAMP Moderate baseline requires the installation of security updates within 30 days of their release [NIST SP 800-53 SI-2(C)]. The combined frequency to identify, report, and patch system flaws should be less than 30 days.

Checking for new vulnerabilities establishes evidence for the following CMMC Level 1 objectives:

• SI.L1-b.1.xii (a) - specify the time within which to identify system flaws

• SI.L1-b.1.xii (b) - identify system flaws within the specified time frame

• List of flaws and vulnerabilities potentially affecting the system

Security Alerts, Advisories, and Directives

• The IT office analyzes security alerts and advisories and takes appropriate actions.

Vulnerability scanning

• Vulnerability scanning activities include analysis of internal and external scans

Organizations should have a documented process to analyze vulnerabilities and categorize their severity. Reporting should also include the appropriate risk response.

NIST SP 800-40 identifies the following risk responses to known vulnerabilities:

• Accept

• Mitigate

• Transfer

• Avoid

Mitigating activities may rely on the manufacturer releasing a patch. The organization may remove the vulnerable system component until the patch becomes available. NIST SP 1800-31  defines non-critical (routine) and critical (emergency) system patching:

• Non-Critical System Patching - an established procedure that releases patches regularly. Routine patching includes endpoint firmware, OS, and applications, server OS and applications. 

• Critical System Patching - an emergency procedure to address extreme severity vulnerabilities. Extreme vulnerabilities include those with documented exploitation in the wild.

The FedRAMP Moderate baseline requires updates within 30 days of their release [NIST SP 800-53 SI-2(C)]. Thus, the combined frequency to identify, report, and patch systems should be less than 30 days. Reporting for new vulnerabilities establishes evidence for the following CMMC Level 1 objectives:

• SI.L1-b.1.xii (c) - specify the time within which to report system flaws

• SI.L1-b.1.xii (d) - report system flaws within the specified time frame

Evidence:

• List of flaws and vulnerabilities potentially affecting the system

Policy Statement

Vulnerability scanning

• Vulnerability scanning activities include reporting identified vulnerabilities

Organizations should follow a documented procedure for applying system patches. Planning patch deployments involves considering the type of software, platform, and environmental limitations. NIST SP 800-40 provides common steps for preparing to deploy a patch:

• Prioritize the patch

• Schedule patch deployment

• Acquire the patch

• Validate the patch

• Test the patch

• Monitor deployed patches

The FedRAMP Moderate baseline requires updates within 30 days of their release [SI-2(C)]. Thus, identifying, reporting, and patching systems should occur within 30 days. Patching vulnerabilities establishes evidence for the following CMMC Level 1 objectives:

• SI.L1-b.1.xii (e) - specify the time within which to correct system flaws

• SI.L1-b.1.xii (f) - correct system flaws within the specified time frame

Evidence:

• List of recent security flaw remediation actions performed on the system 

• List of installed patches, service packs, hotfixes, and other software updates 

• Test results from the installation of software and firmware updates to correct system flaws

• Installation/change control records for security-relevant software and firmware updates

Policy Statement

Vulnerability scanning

• Vulnerability scanning activities include remediation with a risk-based approach

Maintaining information systems is critical for performance. A Maintenance Log should record maintenance and diagnostic activities performed on system components. The maintenance log may include documentation on:

• Configuration baseline

• Change control board changes

• System and log backups

• Updated system components

• System patching

• Antivirus updates

• Sanitization records

• Maintenance tools

• Maintenance personnel

Malicious code protection mechanisms (antivirus) should update automatically.  Keeping antivirus current with the latest signature and updates improves malware detection. Reviewing the maintenance log weekly verifies the antivirus solution is up to date.

The maintenance log should also include sanitization records of all system media. Sanitization log details should include:

• Personnel and actions performed

• Types of media sanitized 

• Files stored on the media

• Sanitization methods used 

• Date and time of sanitization actions

• Verification actions taken 

Reviewing a maintenance logs establishes evidence for the following CMMC Level 1 objectives:

• MP.L1-b.1.vii (a) sanitize or destroy system media containing [FCI] before disposal

• MP.L1-b.1.vii (b) sanitize media containing [FCI] before release for reuse

• SI.L1-B1.xiv (a) update malicious code protection mechanisms when new releases are available

Evidence:

• Media sanitization records

• Records of malicious code protection updates

Policy Statement

System Maintenance

• The IT office will schedule, perform, document and review system maintenance 

Maintenance Personnel

• The IT Office will maintain a list of authorized maintenance personnel

We defined these tasks to gauge the efficacy of basic security requirements. We understand these tasks offer only partial fulfillment of CMMC Level 1 requirements. These tasks should complement hardware and software configurations, policies and procedures. By implementing an ISCM program, you establish a foundation for CMMC Level 2.

Thoughts from KNC Strategic Services, an Authorized C3PAO:

Preparing for passing a CMMC assessment is a big undertaking. Following the practices in this guide will better prepare you for the assessment. You will have your evidence organized and ready. You will be able to prove how you are meeting the requirements. In an assessment, evidence is everything. The more you can prove up front, the faster an assessment will go. So get your CMMC ducks in a row.