Companies that work with the Department of Defense (DoD) in contractor or vendor roles need to meet certain safety thresholds. These have been defined in the Defense Federal Acquisition Register Supplement (DFARS). The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework to guide companies’ DFARS adherence, including NIST Access Control requirements: Special Publication (SP) 800-171.
NIST Access Control Requirements and Best Practices
Access Control is one of 14 Requirement Families within the SP 800-171 framework. Like all other Families, the NIST access control list breaks down into two categories of Requirements:
- Basic Security Requirements
- Derived Security Requirements
NIST access control best practices begin with understanding the Requirements inside and out, but DoD contractors should also prepare for other required controls beyond NIST SP 800-171.
NIST Access Control Basic Security Requirements
For each NIST SP 800-171 Requirement Family, the Basic Requirements establish its overall aim or focus. All Families comprise at least one. Access Control, the first Family, comprises two:
- 3.1.1 – Limit access to systems to only authorized users, processes, or devices.
- 3.1.2 – Limit access to systems to only functions that authorized users may execute.
NIST SP 800-171 is a flexible framework. There are discussion sections under all controls that explain various methods for satisfying them. For these two, best practices include access-based or role-based policies for 3.1.1 and various definitional choices for access privileges for 3.1.2.
Implementing robust identity and access management (IAM) can meet or exceed these Requirements, along with the Derived Requirements below.
NIST Access Control Derived Security Requirements
Most NIST SP 800-171 Families also comprise Derived Security Requirements, which break down more specific and complex controls companies should implement. Access Control is the most robust Family, with 20 Derived Requirements. These break down as follows:
- 3.1.3 – Control flow of Controlled Unclassified Information (CUI) through approval.
- 3.1.4 – Logically separate individuals’ duties to avoid harmful non-collusive actions.
- 3.1.5 – Employ the “least privilege” principle for all accounts (including privileged ones).
- 3.1.6 – Utilize non-privileged accounts for all functions that do not require privileges.
- 3.1.7 – Prevent the execution of privileged functions from users without privileges; capture any non-privileged execution of privileged functions in security audit logs.
- 3.1.8 – Limit the amount of times any user can attempt to log in unsuccessfully.
- 3.1.9 – Notify stakeholders of privacy and security rights per applicable CUI rules.
- 3.1.10 – Utilize session locks and pattern-hiding displays after periods of inactivity.
- 3.1.11 – Define conditions upon which access sessions are automatically terminated.
- 3.1.12 – Closely monitor and tightly control all access sessions conducted remotely.
- 3.1.13 – Protect the confidentiality of remote access sessions using cryptographic keys.
- 3.1.14 – Ensure all remote access sessions are routed through access control points.
- 3.1.15 – Authorize all remote access of security-relevant data and privileged commands.
- 3.1.16 – Authorize all wireless access privileges before enabling wireless connections.
- 3.1.17 – Utilize authentication and encryption to protect all wireless access sessions.
- 3.1.18 – Control all mobile device connections to networks containing sensitive data.
- 3.1.19 – Encrypt all CUI for processing on any mobile devices or computing platforms.
- 3.1.20 – Verify and control the amount and variety of connections to external systems.
- 3.1.21 – Limit the overall usage of all portable devices connected to external systems.
- 3.1.22 – Tightly control all posting or processing of CUI on publicly accessible systems.
As with the Basic Requirements, there is a great deal of flexibility in how companies’ adherence. The discussion sections for each explain methods and best practices companies may employ.
NIST to CMMC Access Control Requirement Mapping
Companies that currently need to comply with DFARS and NIST regulations will soon need to adopt the Cybersecurity Model Maturity Certification (CMMC) framework. The CMMC compiles controls from DFARS, NIST SP 800-171, and other regulations into a single, streamlined system. It allows for a gradual implementation of its 171 Practices across its five Maturity Levels.
The CMMC comprises 17 Domains that correspond to NIST’s Requirement Families, and the first one is titled Access Control (AC). The AC Controls across CMMC Maturity Levels include:
- CMMC Level 1 AC – Four AC controls constituting “basic cyber hygiene,” together with the other 13 Level 1 Practices—all Processes must be Performed, but not measured.
- CMMC Level 2 AC – Ten AC controls constituting “intermediate cyber hygiene,” together with the other 45 Level 2 Practices—all Processes must be documented formally.
- CMMC Level 3 AC – Eight AC controls constituting “good cyber hygiene,” together with the other 50 Level 3 Practices—all Processes must be actively managed.
- CMMC Level 4 AC – Three AC controls constituting “proactive” security, together with the other 23 Level 4 Practices—all Processes must be reviewed regularly.
- CMMC Level 5 AC – One AC control constituting “advanced / progressive” security, together with the other 14 Level 5 Practices—all Processes must be optimized.
NIST Access Control Best Practices for DoD Contractors
For any company looking to achieve or maintain preferred contractor status with the DoD, DFARS and NIST compliance are necessary. The absolute best practice is working with a qualified compliance partner, such as RSI Security. Our experts have helped countless companies gain lucrative DoD contracts for over a decade.
We’ll help you rethink your approach to NIST access control requirements, including future-proofing for CMMC mapping. Contact us today to start!