CMMC Domain Series: Audit and Accountability

We’ve spoken with our customers and have learned that there is interest in CMMC domains. Therefore, over the next few weeks, we will be publishing a series of blogs on those domains that focus on what to look out for and best practices.

Based on popular demand, let's first talk about the Audit and Accountability domain. Imagine this: an auditor arrives, ready to assess your Controlled Unclassified Information (CUI) security. Your heart sinks. You know your systems are vulnerable, your logs are a mess, and your policies are outdated. This is the harsh reality for many manufacturers facing CUI compliance audits. So, let us help you understand the different policies and procedures that this domain addresses.

System audit logs

This is access control 3.3.1, which requires manufacturers to create and retain system audit logs.

Best practice: Identify all logs of each device used in the facility. The main ones include computers, phones, email servers, ERP, and collaboration tools such as Microsoft® Office or Zoom. The easiest way to capture all system audit logs is through a Log Server. A Log Server will aggregate logs to one authoritative location to preserve the integrity of system logs.

User traceability

This is access control 3.3.2, which requires manufacturers to hold individual users accountable for their actions.

Best practice: Use technology that can trace activity back to individual users and not shared accounts. The technology should be able to capture host, network, and user logs and answer questions such as when employees logged in and out and what they were doing.

Reviewing logged events

This is access control 3.3.3, which is around the processes manufacturers must regularly review captured logs.

Best practice: Have individuals in place that create action items such as alerts, reports, and triggers within these logs. A System Information and Event Management (SIEM) tool can help in identifying and prioritizing items that need to be actioned. These processes should then be documented far in advance of the audit, so there’s time for final testing.

Actioning failed audit logging

This is access control 3.3.4, which requires manufacturers to have a failsafe in place for the audit logging process.

Best practice: Have dashboards and reports that can be monitored daily. Small fluctuations are normal, but if there is a steep decline in logs for the day that clearly shows a need for action.

Actioning unlawful, unauthorized, suspicious, or unusual activity

This is access control 3.3.5. One of the most important controls, this one force manufacturers to ensure a ready response to potential cybersecurity breaches.

Best practices: Manufacturers need to define these types of activities. For example, is an employee logging on at an unusual time? Once such an activity is detected, what does the manufacturer do about it? A best practice is to also clearly define who will report such an activity to law enforcement and what they need to bring as evidence.

Providing audit record reduction and reports

This is access control 3.3.6, which requires manufacturers to reduce system logs so that they provide actionable information. Often important security events can get lost in a large log file.

Best practice: Use a centralized log server and a SIEM to reduce and parse log files to easily identify action items.

Time stamps for audit records

This is access control 3.3.7, which requires time synchronization for user activity. The goal is to accurately report on who did what and when on each tracked device. Time stamps are an important part of the evidence needed during audits and investigations to recreate events spanning multiple systems.

Best practice: Specify the same authoritative source for time information across all your infrastructure in order to maintain forensically sound logs.

Prevent unauthorized access, modification, and deletion of audit information

Access control 3.3.8 requires manufacturers to adhere to the principle of least privilege.

Best practice: Use devices that allow permissions to be assigned and implement separation of duties. This way, different roles have distinct responsibilities and can hold each other accountable. Whether it be auditing or remediation, the same employees should be not be auditing and then fixing or scanning and patching. This control ensures that employees cannot modify audit records to cover mistakes.

Privileged Users

Control 3.3.9 is the last of the access controls in this domain, and it requires manufacturers to limit access to files to a subset of users to prevent modification of audit logs and unintentional changes to system settings. This control goes hand in hand with separation of duties mentioned above.

Best practice: Use separate accounts for administration of the system and for performing day-to-day work activities. Administrative accounts should never be used for routine work tasks.

Take control, challenge the status quo, and ensure your CUI data remains safe and secure by following along this series. In our next blog, we will dive into the Identification and Authentication domain. We will continue to share best practices and give manufacturers the tools they need to implement confidently and properly.

If you enjoyed reading this article, check out our other blog posts:

• Why ECI Government Compliance Cloud
  
• The Importance of Manufacturing Software Training
• How to Reduce the "Cost of Being Wrong"