The Importance of Access Control for Supply Chain Companies

When it comes to Cybersecurity Maturity Model Certification (CMMC) domains, one of the most significant focuses on Access Control. CMMC Level 2 builds on the safeguards established by CMMC Level 1 and includes practices that are crucial to any organization’s cybersecurity, including limiting access to authorized users or devices, encrypting data at various layers within an organization’s infrastructure, and controlling the flow of Controlled Unclassified Information (CUI).

Access Control best practices fit into four distinct categories:

User Privileges, Logon and User Sessions, Remote Access, and Wireless/Mobile Access.

User Privileges

When it comes to data access, not all users should be given the same access. Also, no one user should be solely responsible for overseeing an entire critical task. CMMC guidelines state that users should only be given the access needed to perform their basic job functions. Additionally, only privileged users should be given access to functions that involve controlling, monitoring, or administering the data system and its security measures. CMMC requires that all privileged and non-privileged account activity be monitored, and a log of all privileged usage should be maintained to identify and correct any abuse or misuse.

Logon and User Sessions

Bad actors are constantly exploring and exploiting new ways to gain access to critical systems. The current software used for hacking a system can guess millions of passwords in the blink of an eye, so companies need to maintain situational awareness for any attempts to log into a secure system. If consecutive unsuccessful logon attempts are made, the system should react by locking the account to prevent unauthorized access. Also, user sessions must be able to be locked either manually or automatically if a device or system is unattended or idle. Lastly, after a user session is ended or based on certain conditions, all processes associated with that session should be terminated except those created specifically by the user to continue beyond the session.

Remote Access

In the post-pandemic world, remote work is far more common than it was a few years ago. Every remote access session has the potential to open a company’s network to cyber attacks and unauthorized access. To that end, all remote access sessions should be tightly monitored and controlled to prevent a network or system breach. Additionally, the confidentiality of remote sessions should be ensured through an encryption or Virtual Private Network (VPN) application. CMMC requires that each remote access session be routed through managed access control points. Lastly, the execution of privileged commands and remote access of security-relevant information must be authorized.

Wireless and Mobile Access

Wireless and mobile technology has evolved to the point that it is a critical part of any company’s infrastructure. Since these devices are ubiquitous in the work environment, a company must perform due diligence to ensure that they are used properly so that proprietary data and CUI are protected. Per CMMC guidelines, wireless access should be authorized prior to a connection to a company’s network. Strict authentication and encryption measures must be employed to protect the network when wireless access is granted. Finally, all CUI and proprietary data on mobile devices and mobile computing platforms should be encrypted to prevent unauthorized access.

Strong and consistent access control processes are a must for every small business. There cannot be any gray areas when it comes to systems/file access or privileges - they must be strict and consistently applied. If your company needs more information about Access Control or any other CMMC domains, contact me at snl6700@verizon.net.