Tech Thursday: DFARS In Depth – Part 1: Access Control

Tech Thursday: DFARS In Depth – Part 1: Access Control

Recently, we looked at the new DFARS regulation for defense contractors, called the Cybersecurity Maturity Model Certification, and what your business can do to prepare for its implementation. As we mentioned, CMMC will be largely based on NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. So, starting this week, we will examine each of the 14 security requirement families outlined in SP 800-171, and how your business can implement their requirements successfully, even in a small network.

Each of the requirement families is divided into basic security requirements and derived security requirements. The basic requirements outline the overall goal of the security requirements, while the derived requirements list specific controls or processes that implement those goals. But, even in these derived requirements, there are no specific means to implement these requirements -- that is up to each organization’s system security plan (SSP). So, we’ll mention a few ways that these requirements can be met, but the specifics will depend on the requirements of your company and network environment.

The first of the security requirement families is Access Control, so we’ll start our discussion with this one.

Access Control - Basic Security Requirements

The two basic security requirements in the access control family are:

  • Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
  • Limit system access to the types of transactions and functions that authorized users are permitted to execute 

In other words, only authorized users should be able to access your systems, and those users should only be allowed to do what they are authorized to do. For example, a visitor to your offices shouldn’t be able to log on to one of your computers. But, of equal importance, while your staff accountant of course needs to be able to log on to her computer and access financial data to do her job, she shouldn’t have access to engineering drawings and R&D data from another section of your office.

Access Control - Derived Security Requirements

There are 20 derived security requirements in the access control family. These requirements cover specific ways that access control must be maintained on your network.

First, let’s talk about “least privilege”. Three of the security requirements cover this important security principle:

  • Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • Use non-privileged accounts or roles when accessing nonsecurity functions.
  • Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

“Least privilege” means granting only the rights or access needed for a specific job, task, or function. One basic way is making sure that all users -- even those who occasionally need local admin rights -- are not using administrative accounts for day-to-day use. This is especially true of admins who have rights to administer secure systems -- they should use a secondary login for those functions, with a more limited account for things like Web browsing and email.

Another set of security requirements in this section involves remote access to your systems. 

  • Monitor and control remote access sessions.
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
  • Route remote access via managed access control points.

These three requirements almost certainly involve the use of a VPN gateway to enable remote access to your systems. Even still, just using a VPN does not guarantee security. It must be configured in a way that keeps authorized users secure while keeping unauthorized users out. A well-configured VPN service will allow you to restrict access to authorized users, route VPN traffic via encrypted tunnels, and control what services VPN users may access. Additionally, logging is required to prevent data breaches and exfiltration.

The requirements also extend to your wireless network.

  • Authorize wireless access prior to allowing such connections.
  • Protect wireless access using authentication and encryption.

Of course, this means that open Wi-Fi networks are right out. But even consumer-grade encryption, such as WPA2-PSK, is probably not secure enough to meet this standard. Enterprise-grade authentication and strong encryption should be used, for example by authenticating users and devices via a RADIUS service. And any Wi-Fi access provided to guests also needs to be secured and separated from your internal network.

The final set of security requirements that we’ll cover involves mobile devices, including laptops.

  • Control connection of mobile devices.
  • Encrypt CUI on mobile devices and mobile computing platforms.
  • Verify and control/limit connections to and use of external systems.
  • Limit use of portable storage devices on external systems.

If your mobile devices are connected to untrusted networks, then extra care must be taken to ensure that they remain secure. Additionally, a full disk encryption solution, such as BitLocker, is required. There have been several significant data breaches in recent years caused by theft or loss of a laptop containing sensitive information, which would have been mitigated by a disk encryption solution.

We’ve only been able to cover about half of the security requirements in this section. Again, it’s up to you to ensure that your company is complying with these regulations. And if you need help to make sure that your systems are compliant with NIST 800-171 and DFARS, contact a competent IT service provider, such as E-N Computers, who can evaluate your needs and help you to remain compliant.