3.1.13 has a weight of -5 points

(Access Control Family) 13/22

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Separate the duties of individuals to reduce the risk of malevolent activity without collusion

Video):

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for [Company Name]

Date: [Insert Date]

1. Introduction

This SSP outlines the cryptographic mechanisms employed by [Company Name] to secure remote access sessions, focusing on ensuring the confidentiality and integrity of Controlled Unclassified Information (CUI). The plan encompasses the use of modern encryption methods that comply with federal standards.

2. Cryptographic Mechanisms

2.1 Wi-Fi Networks

  • WPA2 and WPA3: Both of these Wi-Fi Protected Access methods utilize FIPS 140-2 encrypted methods, ensuring the security of wireless connections within the organization.

2.2 Remote Access Sessions

  • VPN Connections: All remote access sessions, including VPNs, are encrypted using FIPS 140-2. There is no non-encrypted method to connect to the network remotely, providing a secure connection environment.

3. Cloud Compliance and CUI Storage

3.1 Microsoft GCC High Compliance

  • If Microsoft GCC High is utilized for cloud services, compliance with FIPS 140-2 validated encryption is assured.

    4. Responsibilities

    • IT Department: Responsible for implementing and maintaining cryptographic measures.
    • Employees: Adhere to the defined policies and use only approved encrypted connections.

    5. Review and Updates

    Ongoing monitoring, audits, and necessary revisions will be conducted to ensure compliance with relevant standards and effectiveness in safeguarding remote access sessions.

    6. Approval

    This SSP is approved by: [Name, Title]

    Signature:________________________ Date: _______________

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) for [Company Name]

    Date: [Insert Date]

    1. Introduction

    This POA&M outlines the specific steps and timelines [Company Name] will follow to implement, evaluate, and continuously monitor the cryptographic mechanisms that protect the confidentiality of remote access sessions.

    2. Action Items

    2.1 Implement FIPS 140-2 Encrypted Wi-Fi Networks

    • Status: In Progress/Completed
    • Action Steps: Implement WPA2 and WPA3 across all wireless networks.
    • Target Completion Date: [Insert Date]
    • Responsible Party: IT Department

    2.2 Encrypt All Remote Access Sessions

    • Status: In Progress/Completed
    • Action Steps: Configure all remote access points, including VPNs, to utilize FIPS 140-2 encryption.
    • Target Completion Date: [Insert Date]
    • Responsible Party: IT Department

    2.3 Verify Cloud Providers’ Compliance

    • Status: In Progress/Completed
    • Action Steps: Validate FIPS 140-2 compliance with Microsoft GCC High and any other cloud providers where CUI is stored.
    • Target Completion Date: [Insert Date]
    • Responsible Party: Compliance Team

    3. Ongoing Monitoring and Updates

    • Status: Ongoing
    • Action Steps: Regular reviews, monitoring, and updates to ensure alignment with relevant standards, including periodic checks with cloud providers.
    • Target Completion Date: Continuous
    • Responsible Party: IT Department, Compliance Team

    4. Approval

    This POA&M is approved by: [Name, Title] Signature:________________________ Date: _______________

    Please note that the specifics of this POA&M would need to be tailored to your organization’s exact needs, timelines, and responsible parties. It’s meant to act as a roadmap for implementing the necessary security measures outlined in the SSP, and it would typically be developed in close collaboration with the stakeholders responsible for these areas.

     

    RELEVANT INFORMATION:

    Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.