Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. Department of Defense (DoD). CMMC’s purpose is to enhance the cybersecurity posture of the Defense Industrial Base (DIB) and protect sensitive data. It sets forth a framework that contractors and subcontractors must follow to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
The latest iteration of the DoD’s CMMC cybersecurity model is the CMMC 2.0 program. Once CMMC 2.0 completes the rule making process, likely in 2025, the DoD intends to require CMMC 2.0 compliance as a condition for awarding contracts.
CMMC 2.0 streamlines requirements, simplifying to three instead of five levels of cybersecurity. At each level, CMMC 2.0 also aligns requirements more closely with the familiar NIST cybersecurity standards, such as NIST 800-53 and NIST-800-171.
Overall, CMMC 2.0 puts a strong focus on access controls and multi-factor authentication (MFA) as essential to protecting sensitive data.
IS Decisions’ software UserLock and FileAudit directly address high-priority security control baselines across all levels in CMMC 2.0, including:
- Access controls (AC)
- Audit and accountability (AU)
- Identification and authentication (IA)
- System and information integrity (SI)
Access Control (AC)
- AC.L1-3.1.1 Authorized access control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- AC.L1-3.1.2 Transaction & function control: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.7 Privileged functions: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- AC.L2-3.1.5 Least privilege: Employ the principle of least privilege, including for specific security functions and privileged accounts.
With UserLock, the administrator can set granular, contextual access restrictions based on factors like IP address, time, machine, session type, or session type. UserLock also allows administrators to set access policies for different types of employees, by user, group or organizational group (OU) in line with least privilege principles. In other words, you can prove your users only have access to the information they need to do their job. UserLock also allows administrators to record and report on all user connection events thanks to a central audit across the whole network.
- AC.L2-3.1.10 Session lock: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
- AC.L2-3.1.8 Unsuccessful logon attempts: Limit unsuccessful logon attempts.
- AC.L2-3.1.11 Session termination: Terminate (automatically) a user session after a defined condition.
Any logon attempts that don’t satisfy your login restrictions are automatically blocked. Administrators also can review and immediately block any suspect user accounts with one click. This denies all further logon attempts and closes any existing sessions. They can also set an automatic forced logoff, on all locked or open machines, after a certain idle time. This includes remote desktop sessions opened by the domain user.
- AC.L2-3.1.12 Control remote access: Monitor and control remote access sessions.
UserLock also helps administrators manage and secure access for all users (remote or on-premises), without getting in employees’ way or creating more work for the IT department.
If your remote users aren’t connected to the corporate domain or don’t use a VPN, UserLock enables MFA for remote working, and also ensures your access restrictions are still applied. And the same goes if a remote user doesn’t have an internet connection – your restrictions still apply thanks to UserLock’s offline MFA and access restrictions.
To easily monitor or report on remote sessions, you can filter the session history view to see all remote sessions, in real-time or by date.
Audit and Accountability (AU)
- AU.L2-3.3.1 System auditing: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- AU.L2-3.3.2 User accountability: Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
UserLock monitors, records, and reports on every user access event and logon attempt to a Windows domain network.
In the UserLock dashboard, administrators can also access and easily filter through detailed and customizable reports to prove compliance and support forensic investigations.
And, you can also drill down to see individual user access event reports. This helps administrators trace user access at all times, and making users accountable for any activity — whether malicious or not.
- AU.L2-3.3.8 Audit protection: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- AU.L2-3.3.9 Audit management: Limit management of audit logging functionality to a subset of privileged users.
UserLock helps control administrator actions, with granular controls on permission rights for privileged users. Access to the different features is split on two privileges: “Read,” to display the section information, and “Write,” which authorizes modifications.
UserLock’s administrator actions reports also record and track administrator actions.
- AU.L2-3.3.3 Event review: Review and update logged events.
- AU.L2-3.3.5 Audit correlation: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
- AU.L2-3.3.6 Reduction & reporting: Provide audit record reduction and report generation to support on-demand analysis and reporting.
Both UserLock and FileAudit support compliance with extensive logs and reporting capabilities.
UserLock offers filterable reports on all user access events, including MFA events. Admins can easily review these reports in the UserLock dashboard, and powerful filters make it simple to focus only on the information needed. Reports can be sent via email to relevant parties for ongoing reporting or compliance purposes.
FileAudit provides a centralized audit log of all file access events by user and also tracks and reports on NTFS permissions. In other words, administrators can access reports that answer who did what, and when, for all of your Windows file servers, files, folders, and data in cloud storage. As with UserLock, all FileAudit reports can be sent via email to relevant parties for ongoing reporting or compliance purposes.
Identification and Authentication
- IA.L1-3.5.2 Authentication: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- IA.L2-3.5.3 Multifactor authentication: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
UserLock makes it easy to verify the identity of all Active Directory accounts, whether privileged or non-privileged, and secure access to your network with straightforward MFA for CMMC on Windows logon, RDP, RD Gateway, RemoteApp, VPN, VDI and SaaS connections.
There are two edit modes available for modifying the MFA settings. Make sure to read the documentation for the use case for each type of session to ensure users will receive an MFA prompt.
- All session types at once: By selecting this option, you can apply the same policy for all session types that are protected by UserLock.
- By session type: Select this option to apply different MFA policies for each session type.
You can also apply MFA by connection type.
For each session type, you can choose how often to prompt your users with MFA.
System and information integrity (SI)
- SI.L2-3.14.7 Identify unauthorized use: Identify unauthorized use of organizational systems.
Both UserLock and FileAudit monitor and record denied accesses.
For example, if a person attempts to log into one of your Active Directory accounts from overseas, but you’ve blocked all logons that originate from outside your organization’s home country, that logon will be denied.
In the case of FileAudit, if a user tries to access a file they don’t have permissions to view, FileAudit alerts the administrator and records the attempt. You can also set up automated scripts to deny access immediately.
