Level 5 CMMC - CMMC Practices

AC.5.024  

Reference: CMMC 1.02

Family: AC

Level Introduced: 5

Practice:
Identify and mitigate risk associated with unidentified wireless access points connected to the network.

CMMC Clarification:
This practice can be implemented in a variety of ways. One approach would be to use a Wireless Intrusion Detection System (WIDS), a network device that monitors the radio spectrum for the presence of unauthorized access points. Other approaches are those used to detect and/or block any rogue network device. On the physical security side, unused RJ45 jacks in a facility can be turned off, however, this does not account for repurposing an authorized jack. A more robust solution is to identify authorized devices and create access controls limiting connections to those devices. Each device that is allowed to connect has a profile to include expected physical location that is maintained by the system administrators. This, in turn, facilitates the creation of a device white list which can be used with a port monitoring tool to control connections. Another approach would be the utilization of device detection software that the system administrator uses to establish a device baseline which is periodically compared to new scans using the same software to identify changes, specifically unauthorized additions when compared to the scan result of authorized connected devices.

Example 1
You are a security engineer and the organization has implemented a WIDS. The WIDS detects signals from an unauthorized access point and sends an alert. You investigate and verify the unauthorized access point exists on the network. You work with the network team to block all traffic on the network (both into and out of the access point) until the device can be located and removed.

Example 2
You are a network engineer at your organization. You have noticed that there is a new device on the network that has not been profiled. You use the information from your network diagrams and your tools to identify the office where the port terminates. Using this information, you look in your database and learn that it is normally a printer that plugs into that port. Your network tools do not show the printer on the network. You disable the network port and visit the office. When you arrive, you find that a network printer has been unplugged and an unapproved access point has been plugged into it’s port. The employee in the office says that they needed better wireless access in the office so they brought in the access point from home and plugged it in. You explain that this is against company policy, unplug their access point, and plug the printer back into the port. Returning to your desk, you follow the security incident process for reporting the policy violation before reactivating the network port.

Unidentified and unauthorized wireless access points can be connected to a network by authorized users trying to extend the network or by malicious users. They may allow unauthorized users direct access to an organization’s network. In either case they represent a cybersecurity vulnerability. Organizations must mitigate this vulnerability.

Source: CMMC v1.02

SI-4 (14)

INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION

Description:
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

Supplemental Guidance:
Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Related controls: AC-18, IA-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02