3.1.19 has a weight of -3 points
(Access Control Family) 19/22
Encrypt CUI on mobile devices and mobile computing platforms
Video:
Example of Sysytem Security Plan (SSP):
- System Security Plan (SSP)
Organization: [Organization Name]
System Name: Mobile Device and Computer Encryption System
Date: [Date]
1. Introduction
This System Security Plan details the encryption measures and policies put in place to ensure that all devices, particularly those within the mobile device organizational unit, are protected against unauthorized access and potential data breaches.
2. System Description
The system encompasses all connected devices, including but not limited to desktop computers, laptops, and mobile devices. It specifies encryption standards and practices for devices that are part of or have access to Controlled Unclassified Information (CUI).
3. Device Encryption Policy
3.1. BitLocker in FIPS Mode: All devices within the mobile device organizational unit are mandated to activate BitLocker in FIPS mode. T
3.2. Group Policy Management: Encryption policies are managed through Group Policy and applied to members of specific organizational units in the Active Directory.
3.3. Device Access to CUI: All devices that have access permissions to CUI must adhere to the BitLocker Group Policy, ensuring encryption across all devices, not limited to mobile ones.
4. Mobile Device Encryption and Verification
4.1. IT Verification: All company-owned mobile devices with clearance to access CUI are subjected to a verification process by the IT department.
4.2. Encryption Standards: Devices must be encrypted either straight from the factory or using approved aftermarket solutions to gain CUI access clearance.
Signatures:
IT Manager: ____________________ Date: _______
Security Officer: ____________________ Date: ______
Example of Plan of Action and Milestones ( POA & M):
1. Vulnerability: Non-compliant Devices
- Description: Devices that are yet to adhere to the BitLocker in FIPS mode requirement.
- Action: Perform a system-wide audit to identify and update non-compliant devices.
- Timeline: 3 months from the date of this SSP.
- Responsible Party: IT Department.
2. Vulnerability: Outdated Encryption Standards
- Description: Devices using encryption standards that do not meet the current policy.
- Action: Update all devices to the approved encryption standards. Retire devices that do not support these standards.
- Timeline: 6 months from the date of this SSP.
- Responsible Party: IT Department in collaboration with the Security Office.
3. Vulnerability: Unauthorized Access to CUI
- Description: Potential risk of unauthorized devices accessing CUI.
- Action: Review and update access controls, ensuring only verified devices can access CUI.
- Timeline: 2 months from the date of this SSP.
- Responsible Party: IT Department and Security Office.
4. Vulnerability: Inadequate IT Verification Process
- Description: Inefficiencies or oversights in the IT verification process for mobile devices.
- Action: Review and enhance the IT verification process to ensure all devices accessing CUI are adequately verified.
- Timeline: 4 months from the date of this SSP.
- Responsible Party: IT Department.
5. Vulnerability: Non-standard Aftermarket Solutions
- Description: Use of non-approved aftermarket encryption solutions.
- Action: Audit to identify devices with non-approved solutions and update them to use organization-approved encryption solutions.
- Timeline: 5 months from the date of this SSP.
- Responsible Party: IT Department.
Microsoft BitLocker:
BitLocker is a full disk encryption feature included with Microsoft Windows versions starting with Windows Vista. It’s designed to protect data by providing encryption for entire volumes. By doing so, BitLocker helps to ensure that data stored on a computer is not accessed or modified by unauthorized individuals.
Turning on BitLocker for a drive on a Windows computer involves several steps. Here’s a general guide to enable BitLocker on your drive:
- Check System Requirements:
- Ensure your computer has a Trusted Platform Module (TPM) chip. Most modern PCs come with a TPM. BitLocker typically requires TPM version 1.2 or later.
- Your hard drive should have at least two partitions: a system partition (which contains the necessary files to start Windows) and an operating system partition (which contains Windows, your programs, and user data).
- Start BitLocker:
- Open File Explorer.
- Right-click on the drive you want to encrypt (typically the C: drive) and select Turn on BitLocker.
- Unlock Method:
- Choose how you want to unlock your drive during startup:
- Insert a USB flash drive: Save a startup key on a USB drive.
- Enter a password: Use a password to unlock the drive.
- Click Next after making your choice.
- Choose how you want to unlock your drive during startup:
- Backup Your Recovery Key:
- You’ll be given a recovery key that can be used to unlock your drive if you forget the password or if the system doesn’t recognize your drive. You can save this key to your Microsoft account, a USB flash drive, a file, or print it.
- It’s essential to save this key securely, as it’s your only way to access your data if there are issues with the normal unlock method.
- Choose Encryption Option:
- You’ll have two options:
- Encrypt used disk space only (faster and best for new PCs and drives): This will only encrypt sectors of your hard drive that have data.
- Encrypt entire drive (slower but best for PCs and drives already in use): This encrypts the entire drive, including parts without data.
- Choose the option that best fits your needs and click Next.
- You’ll have two options:
- Choose Encryption Mode:
- You might be presented with an option to choose between new encryption mode and compatible mode. The new encryption mode is more secure and recommended for internal drives. Compatible mode is best if you expect to move the drive to older versions of Windows.
- Start Encryption:
- Click Continue and confirm any prompts.
- Restart your computer if prompted. After the restart, BitLocker will begin encrypting your drive. This can take a while, especially if you have a large drive with lots of data.
- Check Encryption Status:
- You can check the encryption progress by hovering over the BitLocker icon in the system tray. Once encryption is complete, you’ll need to use your chosen unlock method (password or USB drive) to access your drive every time your computer starts up.
Note: Ensure you always have backups of your essential data, especially when making changes like encrypting your drive.
FIPS MODE:
FIPS Mode refers to the Federal Information Processing Standards, which are government standards for encrypting data.
Overview of enabling FIPS mode on several platforms:
- Windows:
- Open the Local Group Policy Editor (
gpedit.msc
from Run). - Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Find the policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” and set it to “Enabled”.
- Restart the computer for the change to take effect.
- Open the Local Group Policy Editor (
- Linux (Red Hat/CentOS):
- Edit the
/etc/sysconfig/prelink
file and changePRELINKING=yes
toPRELINKING=no
. - Run the command
prelink -u -a
to undo existing prelinking. - Edit the
/etc/crypto-policies/config
file and set it toFIPS
. - Apply the change using
update-crypto-policies
. - Restart the computer.
- Edit the
- OpenSSL:
- Some versions of OpenSSL can be run in FIPS mode, but it might require a FIPS-capable OpenSSL build. Once you have that, you can typically enable FIPS mode programmatically within apps using the OpenSSL library.
- iOS/macOS:
- Apple does not provide a general “FIPS mode” toggle like some other platforms. Instead, developers use Apple’s cryptographic libraries, which have been validated for FIPS 140-2, in their applications.
- Networking Devices:
- For routers, switches, and firewalls, the process varies widely. Consult the device’s manual or manufacturer’s documentation.
APPLE & IOS:
- Secure Enclave: Every iPhone with an A7 chip or later contains a Secure Enclave, a hardware-based key manager that’s isolated from the main processor. It is used to handle encryption keys and operations securely. The Secure Enclave is essential for several security features on the iPhone, including:
- Touch ID: The mathematical representations of your fingerprint are encrypted and stored only in the Secure Enclave. They are never sent to Apple or backed up to iCloud.
- Face ID: Data utilized to recognize your face is encrypted and protected by the Secure Enclave.
- Apple Pay: The device account number and other payment information are stored in the Secure Enclave.
- Data Protection: iOS provides strong encryption for data in transit and data at rest on the device. Every time you lock your iPhone, the hardware encryption on the device pairs with the software encryption of the operating system to lock your data away.
- Processor Architecture: The A-series chips in iPhones come with security features that prevent unauthorized access to data. The silicon design of these chips ensures that iOS runs in a secure environment.
- End-to-End Encryption: iMessages and FaceTime have end-to-end encryption, meaning that only the sender and the receiver can view them. Apple doesn’t have access to this content.
- Secure Boot Chain: This ensures that only trusted components are used during the boot-up process, from hardware to software.
- Software Updates: Apple regularly provides updates to iOS to address security vulnerabilities and enhance the security framework.
Here are general steps and considerations to configure your macOS system for FIPS 140-2 compliance:
- Use Apple’s Cryptographic Modules: Apple has FIPS 140-2 certified cryptographic modules in macOS. Make sure you are using applications and services that leverage Apple’s core cryptographic libraries.
- FileVault2 for Disk Encryption: Ensure that you are using FileVault2 for full-disk encryption. This will encrypt the entire startup disk, and any user of the computer must enter a password before the computer will boot from the disk or access its data.
- Gatekeeper: Ensure that Gatekeeper is enabled. This will restrict the sources from which applications can be installed. Ideally, allow apps downloaded only from the ‘App Store’ or ‘App Store and identified developers’.
- Firewall: Turn on macOS’s built-in firewall to block incoming connections.
- Regular Updates: Keep your macOS system updated. Apple provides security updates that can patch vulnerabilities. Turn on “Automatically keep my Mac up to date” from System Preferences > Software Update.
- Disable Unnecessary Services: Turn off unnecessary services and features. For instance, if you don’t need Bluetooth, disable it. The fewer open doors and windows, the fewer routes there are for unauthorized access.
- Use Strong Passwords: Ensure that all user accounts have strong, complex passwords. This can be enforced through System Preferences > Users & Groups.
- Limit Use of the Root Account: The root user account has privileges that allow changes to the system that may bypass security. Ensure it’s disabled unless absolutely necessary.
- Review Installed Applications: Regularly review and remove any unnecessary applications.
- Audit and Logging: Ensure that the macOS logging features are enabled and regularly reviewed. This will help in identifying and understanding any unauthorized access attempts.
- Remote Access: If not needed, disable “Remote Management” and “Remote Login” from System Preferences > Sharing. If remote access is necessary, ensure it’s done securely with strong authentication.
- Browser Settings: Ensure that web browsers are set up securely. Disable unnecessary plugins, use private browsing modes, and consider using tools to block trackers or malicious sites.
- VPN: If accessing the internet from public places, consider using a VPN to ensure your connection is encrypted.
- Third-Party Security Solutions: Consider using third-party security solutions that may offer additional features or protections tailored for FIPS 140-2 compliance.
- Regular Backups: Ensure you regularly back up your data. Use encrypted backups.
Please note that these steps provide a general path towards hardening your macOS system and aligning it with FIPS 140-2 principles. However, FIPS 140-2 compliance in an organizational setting may have additional requirements or nuances based on specific use cases, data classifications, and enterprise policies.
RELEVANT INFORMATION:
Discussion [NIST SP 800-171 R2]
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields.
Further Discussion
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process, store, or transmit CUI including smartphones, tablets, and e-readers.
When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient –the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.
This practice, AC.L2-3.1.19, requires that CUI be encrypted on mobile devices and extends three other CUI protection practices (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-3.13.16):
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.