Reference: CMMC 1.02
Level Introduced: 4
Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.
This practice adds context about the user and the specific access attempt before network access is granted. First, the organization must identify attributes that are important for managing the risk of remote network access. Then, the administrator restricts remote access based on the state of these attributes. The remote access control mechanism must be enhanced to check the attributes such as the subjectâ€™s location, the state of the network (e.g., running services, resources available, traffic statistics, network hosts in the local network and traffic patterns between nodes), host posture, time-of-day, expected behavior associated with the user's role, and normal behavior for the user based on previous use. All the attributes checked must be within tolerance for the user requesting remote access. The organization is not limited to these attributes or required to use these attributes.
One possible approach could include:
(1) a policy database or the organization determined access policy;
(2) an attribute database for subjects, the environment and resources; and
(3)a policy enforcement engine leveraging a policy language like XACML to check the policy and attributes before access is granted.
You are an employee who typically works from home using a corporately owned laptop. You request access from your laptop to a server containing network diagrams for a system you are designing, and access is granted. You also have a personal tablet which you only use for email via a corporate web site when travelling to a sponsor's location. Since you are traveling more and more frequently, you request access to the server using the tablet to support your engineering work. Since the device is personally owned, the host posture attribute is not satisfied. As a result your network access request from the tablet is denied.
This practice adds additional granularity to remote access restrictions based upon organization-determined factors. The example factors in the practice are provided to help explain the meaning of â€˜risk factorsâ€™ as anything that adds additional context to be considered in a determination of whether to grant remote access.
The intent of this practice is to define additional context for allowed remote access and then to enforce via technical, versus just policy, means.
Source: CMMC v1.02