Ep 4: Access Control

Video Transcript:

BEN: Alright, Dan, so let’s kind of jump into each of these individual domains. But before I do that, is there is there a reference point that you would you know provide to our viewers as a guide? Because obviously we’re not going to spend enough time to dive into all the details here. So, where would you send people to provide guidance to each of these individual categories of security or domains.

DAN: Well, the group in charge from the DoD is the Cyber AB, and they’ve done a great job of putting together some really good guides. One, which I call the Bible, is something called the CMMC Assessment Guide. It’s a pretty thick little document but what it will do is, it’ll go through for your team and explain each of these domains. It will show exactly what the requirements are. It’s tied back to the NIST requirements that basically are the government’s guides, if you will, to what you need to do. There’s a separate page in this that explains exactly what it is you’re looking for, how you can test for it, how you can interview for it, how you can make sure that you’re enforcing that sort of security control. And if you do that, 110 controls later, you will be 100% CMMC compliant.

BEN: So, Dan, let’s dive into the first domain. Access Control, high level, what is it?

DAN: High level, Access Control is controlling who has access to your systems and your information. It’s not only who, but it’s what systems, what programs. We’re so used to basically having cloud type programs. Does a program running in the cloud gather information or gather data from your systems, or vice versa? It’s controlling access within that. It’s looking at your mobile device. Are you securing the data on that mobile device? What sort of encryption are you using when data’s in transit or whether it’s in storage or if it’s in use? So, it’s all about access.

BEN: Alright perfect, so Dan, give me give me an example of just one of these practices under Access Control and, high level, what these guys need to be thinking about.

DAN: Sure, well let’s reference the Bible. If you go under Access Control within the CMMC Assessment Guide and you say, “let’s control public information.” This is, when you win a contract, do you publish it on your website? Who has access to your Facebook page? What is the process in place for publishing things to your website? Who can do it? Does it have to be approved? What sort of controls are in place? That’s how you basically control access to the important information.

BEN: Right. It’s very interesting, too, because I think a lot of times when people think about Access Control they think about specifically about the network and maybe Wi-Fi. But, yeah, it goes all the way down to your social sites and controlling information out there on the public web and making sure that you have good processes around examining it and reviewing. So, that’s a great point.