Business Owner’s Guide to CMMC
Ep 8: Identification & Authentication
Watch episode 8 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
BEN: Alright, identification and authentication. It’s kind of like, you know, giving the ID at the bar when you go in, yeah? It’s been a while since I’ve had to do that by the way.
DAN: That’s right. It’s all about granting access to the right people, to the right systems. So here you have 11 different controls that you’re looking at. Everything from passwords and what’s your policy on reusing that password. We’ve seen it where, honestly, a lot of people use the same thing. I mean, you probably have the name of your pet or your child, followed by one two three and probably the first letter of your password is capitalized. People just naturally will reuse them. I can’t tell you how many places I go in, look underneath the keyboards, and there is a post-it note with the password. These policies address what is the company’s policy on using passwords. Simple things like, when you type it in, can I shoulder surf and find out what you’re using for a password?
BEN: Yeah, and I think eventually this category will mature even further and it’s starting to. I mean, multi-factor authentication is making some of the password management a little, I think, bit less important. You still have to do it, obviously. They say you have to do it. But we think that there’s just too many ways that these guys are sophisticated and can get the password. You have to have that second form of authentication to really secure an environment. And then we also very much limit what a user can do from a privilege standpoint. So, just not getting to a server level access if you’re a user, for instance. So yeah, there’s passwords, using multi-factor authentication, and then really being intelligent about how you layer in your security, based on privileges and where you can get in the environment.
DAN: I think you’ll see this evolve. Right now the controls in place are what we currently have. It’s the passwords, making sure we encrypt when we send them things like this. But just peel it back. Let’s step out of our DOD space. In real life, I can’t log into my bank without getting a second call to enter the code from my phone. You look at what Apple’s doing right now, they have the facial recognition. Biometric. Right there, that’s your second form of authentication. Even if they get my password, I’m still secure. My system access, my authentication, is secure. And that’s what we’re bringing it into with these controls.
Watch Episode 9 on Incident Response.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.