Reference: CMMC 1.02
Level Introduced: 2
Use encrypted sessions for the management of network devices.
When an organization connects to and manages network devices, it should use an encrypted session. The most common encrypted method is a Secure Shell (SSH).
You are an IT administrator for your organization. You are in charge of updating devices on your network. You access these devices over the network instead of at the deviceâ€™s physical location. When you establish a connection to these devices, you use an SSH connection. An SSH connection protects you. For example, an adversary has installed malware on a network device. If you use an unencrypted session (i.e., telnet into a device) the adversary can view your username and password. But, if you use an SSH connection, the adversary cannot see this information.
Management of network devices is a security critical process and needs to have confidentiality protection and authentication to protect against adversaries trying to gain information or change the network infrastructure.
Confidentiality protection prevents an adversary from sniffing passwords or configuration information. Authenticity protection includes, for example, protecting against man-in-the- middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services).
Source: CMMC v1.02