Level 5 CMMC - CMMC Practices

SC.3.181  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Separate user functionality from system management functionality.

CMMC Clarification:
Prevent user functionality and services from accessing system management functionality on IT components, e.g., databases, network components, workstations, servers. This reduces the attack surface to those critical interfaces by limiting who can access them and how they can be accessed. This can be achieved through both logical and physical methods using computers, CPUs, operating system, network addresses or a combination of these methods. By separating the user functionality from system management functionality, the administrator or privileged functions are not available to the general user.

The intent of this practice is to ensure:
• general users are not permitted to perform system administration functions; and
• system administrators only perform system administration functions from their privileged account.
This can be accomplished using separation like VLANs or logical separation using strong access control methods.

Example 1
You are an IT administrator responsible for preventing access to information system management functions for your organization. Your company has a policy stating that system management functionality must be separated from user functionality.

To comply with the policy, you provide physical protection by segregating certain functions to separate servers and connect those servers to their own sub-net network. You limit access to the separate servers so only approved system administrators can access them. They use special admin accounts with a different username from their normal accounts to login to
these servers.

Example 2
You are an IT administrator responsible for preventing access to information system management functions for your organization. Your company has a policy stating that system management functionality must be separated from user functionality.

You login to the servers using a standard account to perform your daily work. Occasionally, you need to perform administrative tasks. To perform those tasks, you enter a command that elevates your rights to a system administrator. You enter your administrator credentials, which are different from your daily user account, to execute the administrative tasks. When completed, you go back to using your standard account.

3.13.3

Separate user functionality from system management functionality.

Discussion:
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

Source: NIST Special Publication 800-171 Rev. 2

SC-2

APPLICATION PARTITIONING

Description:
The information system separates user functionality (including user interface services) from information system management functionality.

Supplemental Guidance:
Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02