Access Control

From Cooey Wiki

Access Control is one of the 14 security families in NIST 800-171 Rev 2, which provides guidelines for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. The Access Control family focuses on limiting access to information systems, applications, and data to authorized individuals and ensuring that only those with appropriate permissions can access sensitive information. This helps prevent unauthorized access, which is critical for maintaining the security and confidentiality of CUI.

Key Access Control Requirements in NIST 800-171 Rev 2:

The Access Control family contains 22 security requirements. These are summarized below.

1. Limit System Access to Authorized Users (3.1.1)

Basic Requirement: Organizations must limit access to information systems to only authorized users, processes acting on behalf of users, and devices.

Key Focus: Ensure that only individuals with the proper credentials and roles can access specific systems or data.

2. Limit Access to the Types of Transactions and Functions (3.1.2)

Basic Requirement: Organizations must limit access to only the specific transactions, systems, and functions that authorized users are permitted to perform based on their role.

Key Focus: Apply role-based access control (RBAC) or similar mechanisms to restrict user access to only the resources needed for their job functions.

3. Control the Flow of CUI (3.1.3)

Derived Requirement: Organizations must control the flow of CUI within their systems and between systems to ensure it is only accessed or transmitted by authorized entities.

Key Focus: Implement measures like encryption, firewall rules, or traffic filtering to ensure that data is not accessible to unauthorized parties or transferred to unauthorized systems.

4. Separate the Duties of Individuals (3.1.4)

Derived Requirement: Organizations must implement the separation of duties to prevent individuals from having too much control or oversight over key functions, which could lead to security vulnerabilities or fraud.

Key Focus: Assign different responsibilities and privileges to multiple personnel to avoid conflicts of interest and reduce the risk of malicious activities.

5. Limit Access to CUI on System Media (3.1.5)

Derived Requirement: Access to CUI stored on system media (such as USB drives, CDs, or printed documents) should be limited to authorized users, and organizations must protect these media from unauthorized access.

Key Focus: Ensure physical and logical access to removable media and printed materials containing CUI is strictly controlled.

6. Control Access to Systems Connected to External Networks (3.1.6)

Derived Requirement: Organizations must control access to their systems, especially when they are connected to external networks or systems outside their organizational control.

Key Focus: Implement strong controls, such as firewalls, VPNs, or proxies, to manage how internal systems interact with external networks and protect against unauthorized access.

7. Use of Identification and Authentication for Remote Access (3.1.7)

Derived Requirement: Organizations must enforce the use of strong identification and authentication mechanisms (e.g., multi-factor authentication) for users accessing systems remotely.

Key Focus: Ensure that remote users are authenticated using more than just a password, such as through multi-factor authentication (MFA).

8. Authorize Remote Execution of Commands and Scripts (3.1.8)

Derived Requirement: Organizations must limit the ability to execute remote commands and scripts to authorized users.

Key Focus: Prevent unauthorized users from executing scripts or commands that could compromise the system or data.

9. Terminate Inactive Sessions (3.1.9)

Derived Requirement: Organizations must configure systems to automatically terminate or lock user sessions after a defined period of inactivity.

Key Focus: Reduce the risk of unauthorized access if a user leaves a session open and unattended.

10. Limit Concurrent Sessions (3.1.10)

Derived Requirement: Limit the number of concurrent sessions an individual can have open on a system.

Key Focus: Prevent misuse of multiple sessions and ensure that users do not bypass access controls through simultaneous logins.

11. Control Access to Mobile Devices (3.1.11)

Derived Requirement: Implement policies to control access to systems and CUI through mobile devices such as smartphones, tablets, and laptops.

Key Focus: Ensure that mobile device usage is secure, including the implementation of encryption and remote wipe capabilities if devices are lost or stolen.

12. Encrypt CUI on Mobile Devices and Removable Media (3.1.19)

Derived Requirement: Protect CUI stored on mobile devices or removable media through encryption or other security measures to prevent unauthorized access.

Key Focus: Encrypt CUI to protect it in case the device or media is lost, stolen, or accessed by unauthorized individuals.

13. Session Lock (3.1.12)

Derived Requirement: Implement a session lock capability for systems that require users to re-authenticate after the system has been idle for a period.

Key Focus: Automatically lock systems during idle periods to prevent unauthorized access.

14. Encrypt Remote Access (3.1.13)

Derived Requirement: Ensure that remote access to information systems is protected by encryption, safeguarding data from being intercepted by unauthorized parties.

Key Focus: Use encryption technologies like VPNs or TLS (Transport Layer Security) for remote access connections.

15. Restrict Access to Privileged Functions (3.1.14)

Derived Requirement: Limit access to privileged functions, such as administrative tasks, to only authorized personnel.

Key Focus: Ensure that users with higher privileges (such as system administrators) have restricted access to sensitive functions based on need.

16. Prevent Non-Privileged Users from Executing Privileged Commands (3.1.15)

Derived Requirement: Ensure that non-privileged users cannot execute privileged commands or functions.

Key Focus: Use strict access control to prevent unauthorized users from gaining administrative control over the system.

17. Control Access to Audit Information (3.1.16)

Derived Requirement: Limit access to audit logs and audit-related information to prevent tampering or unauthorized review by individuals who are not authorized to see it.

Key Focus: Only allow authorized personnel to view and manage audit logs to ensure data integrity and accountability.

18. Separation of User and Privileged Functions (3.1.17)

Derived Requirement: Enforce a separation between regular user activities and privileged operations, ensuring that users with administrative privileges do not use them for everyday tasks.

Key Focus: Limit the use of privileged accounts to only necessary administrative functions.

19. Prevent Unauthorized Use of Collaborative Computing Devices (3.1.18)

Derived Requirement: Implement controls to prevent the unauthorized use of collaborative computing devices, such as video or audio conferencing systems, within information systems.

Key Focus: Ensure that shared devices used for collaboration are secured and that only authorized users can access them.

20. Automate Control of Temporary and Emergency Accounts (3.1.20)

Derived Requirement: Automatically manage and control the use of temporary or emergency accounts to ensure they are deactivated when no longer needed.

Key Focus: Ensure that these accounts are monitored and disabled after their purpose has been fulfilled to avoid potential misuse.

21. Disable Inactive Accounts (3.1.21)

Derived Requirement: Disable accounts that are inactive for a specified period to prevent unauthorized use.

Key Focus: Implement automated processes to detect and disable inactive user accounts.

22. Control the Use of External Systems (3.1.22)

Derived Requirement: Establish policies and controls to limit the use of external systems (such as personal laptops or non-company networks) for accessing CUI.

Key Focus: Ensure that systems outside the organization’s control cannot access CUI unless authorized and properly secured. Summary:

Access control in NIST 800-171 Rev 2 emphasizes restricting and managing access to systems and data to ensure only authorized individuals and devices can access CUI. The controls focus on implementing strong authentication, role-based access control, session management, encryption, and least privilege principles, all aimed at minimizing the risk of unauthorized access and ensuring the protection of sensitive information within the organization.