Level 5 CMMC - CMMC Practices

SC.4.228  

Reference: CMMC 1.02

Family: SC

Level Introduced: 4

Practice:
Isolate administration of organizationally defined high-value critical network infrastructure components and servers.

CMMC Clarification:
Where the organization has identified high value critical network infrastructure used in the processing and management of CUI data, they will physically or logically isolate management these systems from their production network, such as through the use of an Out-of-Band network. Access controls are implemented to prevent non-authorized users from accessing the management network and changing the configuration of an infrastructure component processing CUI information.

Example 1
You are responsible for security architecture and are asked to build and secure a network enclave to support a large project processing CUI data from two facilities in your organization. The architecture you designed to support this project has a workgroup switch in each location connected to a firewall to the Internet. The management interfaces on the two switches and the firewall are all connected to the Out-of-Band (OOB) management network that is air-gapped from the rest of the company and the Internet.

Example 2
You have created VLANs that are used to access the management interface of all the network switches and the servers in the data center. These VLANs are isolated from the rest of the organization’s network so only the network engineers and server administrators can manage these devices from their offices or a Bastion Host server you set up.

Organizations apply systems security engineering concepts and principles to identify the high value critical network infrastructure components in their network. High value critical systems are those that if compromised could lead to unauthorized access, use, modification or destruction of large amounts of CUI. Examples include boundary protection systems (e.g., routers, firewalls, intrusion protection and detection systems), critical infrastructure servers (e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration applications) Securing administration, the ability to alter the configuration of these components, includes delineating physical and logical security boundaries between the data and management interfaces such as through the use of an Out-of-Band network.

NIST Special Publication 800-160 provides guidance on systems security engineering.

Source: CMMC v1.02

3.13.2

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Discussion:
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.

[SP 800-160-1] provides guidance on systems security engineering.

Source: NIST Special Publication 800-171 Rev. 2

SA-8

SECURITY ENGINEERING PRINCIPLES

Description:
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

Supplemental Guidance:
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02