Cooey Wiki - User contributions [en]

SPA Objectives - SIEM Tool

2025-09-25T13:30:54Z

Liatris: Created page with "== When is a SIEM an SPA? == A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets. == Assessment Objectives to Assess == AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f] * A SIEM will shows audit records are created, contain the defined content, and are retained as defined. AU.L2-3.3.2 - USER ACCOUNTABILITY [b] * The SIEM will show that audit records contain the defined content necessary to trace users to their actions. AU.L2-3.3.4 - AUDIT FAILURE ALERT..."

== When is a SIEM an SPA? ==
A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets.

== Assessment Objectives to Assess ==
AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f]

* A SIEM will shows audit records are created, contain the defined content, and are retained as defined.

AU.L2-3.3.2 - USER ACCOUNTABILITY [b]

* The SIEM will show that audit records contain the defined content necessary to trace users to their actions.

AU.L2-3.3.4 - AUDIT FAILURE ALERTING [c]

* A SIEM may be able to show that identified personnel/roles are alerted in an audit logging process failure.

AU.L2-3.3.5 - AUDIT CORRELATION [b]

* A SIEM can help show review, analysis, and reporting processes are correlated.

AU.L2-3.3.6 - REDUCTION & REPORTING [a,b]

* A SIEM can be used to show on-demand analysis and reporting of audit logs

AU.L2-3.3.8 - AUDIT PROTECTION [a-f]

* The SIEM will show how audit information and tools are protected from unauthorized access, modification, and deletion.

AU.L2-3.3.9 - AUDIT MANAGEMENT [b]

* The SIEM would need to be shown to demonstrate that a subset of users have access to manage the SIEM.

IR.L2-3.6.1 - INCIDENT HANDLING [c,d]

* A SIEM will likely help support detection and analysis during an incident.

SI.L2-3.14.6 - MONITOR COMMUNICATIONS FOR ATTACKS [a,b,c]

* A SIEM can show that the system, inbound traffic, and outbound traffic are monitored to detect attacks.

SI.L2-3.14.7 - IDENTIFY UNAUTHORIZED USE [b]

* A SIEM will likely show that unauthorized use is identified.

== Assessment Objectives that won't likely be Assessed ==
AU.L2-3.3.3 - EVENT REVIEW

* A SIEM will likely not contain evidence that event types to be logged are reviewed and updated.

AU.L2-3.3.7 - AUTHORITATIVE TIME SOURCE

* No AOs require a SIEM to demonstrate that an authoritative time source is selected and used.

SPA Objectives - Password Manager

2025-09-09T20:41:44Z

Liatris: Flushed out AOs for Password Managers

== When is a Password Manager an SPA? ==
When a password manager is organizationally managed or provisioned for use within the scope of the CUI information system then the password manager should be scoped as an SPA.

When users choose to use a password manager (such as one built-in to their browser on their in-scope computers), then these are not considered an SPA, since the protection of the password is the responsibility of the user, not the organization.

== Assessment Objectives to Assess ==
IA.L2-3.5.10 - CRYPTOGRAPHICALLY-PROTECTED PASSWORDS [a, b]

* Password manager will need to securely store the passwords [a] and securely transmit them [b].

PS.L2-3.9.2 – PERSONNEL ACTIONS [a,b]

* Likely will be a component of the evidence for [a] and [b] but will not be the only evidence for these AOs.

SC.L2-3.13.10 - KEY MANAGEMENT [b]

* May be used to manage cryptographic keys if password manager provides said functionality.

== Assessment Objectives that Don't need to be Assessed ==
IA.L2-3.5.7 – PASSWORD COMPLEXITY [c, d]

* Password complexity is typically enforced on the system containing CUI.

IA.L2-3.5.8 – PASSWORD REUSE [b]

* Password reuse is typically enforced on the system containing CUI.

IA.L2-3.5.9 – TEMPORARY PASSWORDS [a]

* Password manager wouldn't enforce temporary password changes on systems containing CUI, the system containing CUI would do the enforcement.

SPA Objectives - Password Manager

2025-09-09T19:51:49Z

Liatris: Created page in draft form

Objectives to Assess for SPAs

2025-09-09T19:31:23Z

Liatris: Created dead links to make pages when clicked.

The [https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf CMMC Level 2 Scoping Guide] includes a table describing the CMMC Assessment Requirements for each category of asset. For Security Protection Assets the Assessment Requirements are:<blockquote>Assess against Level 2 security requirements that are relevant to the capabilities provided.</blockquote>But what are the relevant security requirements for different types of SPAs? This page will try to answer that question.

== SPA Types ==

* [[SPA Objectives - Password Manager|Password Manager]]
* [[SPA Objectives - SIEM Tool|SIEM Tool]]
* [[SPA Objectives - MFA Provider|MFA Provider]]
* [[SPA Objectives - EDR/XDR Tool|EDR/XDR Tool]]

Main Page

2025-09-09T19:29:40Z

Liatris: Added link to new page

== Main Wiki Pages ==
*[[CMMC Overview]]
*[[Self-Assessment and Certification]] (includes summary of the CAP v2.0!)
*[[CUI]]
*[[Resources and Tools for Compliance]]
*[[Preferred Partners]]
*[[Training and Education]] - (for CCA/CCP/LTP)
*[[FAQ|Frequently Asked Questions]]
*[[Objectives to Assess for SPAs]]

== Hot Topics ==

* [[32 CFR Part 170 Key Takeaways]] (aka "The CMMC Final Rule")
* [[48 CFR Parts 204, 212, 217, and 252 Proposed Rule]]
* CMMC Assessment Procedure (CAP) v2.0
* ESPs, MSPs, CSPs

Objectives to Assess for SPAs

2025-09-09T19:27:53Z

Liatris: Create Page based on Cooey COE discussion

The [https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf CMMC Level 2 Scoping Guide] includes a table describing the CMMC Assessment Requirements for each category of asset. For Security Protection Assets the Assessment Requirements are:<blockquote>Assess against Level 2 security requirements that are relevant to the capabilities provided.</blockquote>But what are the relevant security requirements for different types of SPAs? This page will try to answer that question.

== SPA Types ==

* Password Manager
* SIEM Tool
* MFA Provider
* EDR/XDR Tool

Identifying a Certified Third Party Assessing Organization (C3PAO)

2025-03-01T02:41:13Z

Liatris: Added section on work from home [Please Review]

'''SPA Categorization'''

Some assessors believe that a Security Protection Asset (SPA) includes any systems components that are used in an organizations SSP for supporting evidence. Other assessors only identify an SPA a systems that provide protection to components as stated in the NIST 800-171 publication.

Ask your C3PAO if they expect systems mentioned in the SSP for the purpose of providing evidence to meeting an assessment objective an example of an SPA? Do they believe an SPA has to provide a security function such as a SIEM or EDR? This will impact the level of effort to provide evidence for an assessment.

NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”.

'''Browser used to Access CUI'''

Many organizations are accessing and modifying CUI documents through a web browser but have restricted the ability to download and print. Some DOD components also use the browser for accessing Government information. One example is the Navy using Flank Speed.

However, when opening a document in a browser it does process information on the endpoint. If that endpoint is not part of the organization information system and controlled then it could be a finding.

Some assessors will fail an organization if they are using a browser on an asset that is not controlled others will not. As an alternative there are solutions such as VDI or technologies that provide a pixel representation of a browser that would pass assessment.

If you are using a browser to access CUI ask your assessor if they would fail the organization.

'''CUI at Alternate Worksites (Work From Home)'''

When CUI is physically at alternate work sites (Here we'll focus on work from home/WFH), the CUI needs to be physically protected. The physical protections may include locked filing cabinets, safes, locked briefcases. Some organizations even allow WFH users to print to corporate-issued printers in their home. At some level, the physical security of your home is providing safeguarding for that CUI.

Some assessors will assess the WFH environment remotely, relying on policy/training, user interview, or maybe even demonstration on camera by a WFH user. Other assessors will require a visit on site to a representative WFH environment. Still other assessors won't even assess you if you have CUI at home.

If you allow physical CUI at your user's homes, ask your assessor how they plan to assess your WFH environment, or if they will assess it at all.