DISCUSSION FROM SOURCE: CMMC
This practice adds additional granularity to remote access restrictions based upon
organization-determined factors. The example factors in the practice are provided to help
explain the meaning of ‘risk factors’ as anything that adds additional context to be considered
in a determination of whether to grant remote access.
The intent of this practice is to define additional context for allowed remote access and then
to enforce via technical, versus just policy, means.
CMMC CLARIFICATION
This practice adds context about the user and the specific access attempt before network
access is granted. First, the organization must identify attributes that are important for
managing the risk of remote network access. Then, the administrator restricts remote access
based on the state of these attributes. The remote access control mechanism must be
enhanced to check the attributes such as the subject’s location, the state of the network (e.g.,
running services, resources available, traffic statistics, network hosts in the local network
and traffic patterns between nodes), host posture, time-of-day, expected behavior associated
with the user's role, and normal behavior for the user based on previous use. All the
attributes checked must be within tolerance for the user requesting remote access. The
organization is not limited to these attributes or required to use these attributes.
One possible approach could include:
( 1 ) a policy database or the organization determined access policy;
( 2 ) an attribute database for subjects, the environment and resources; and
( 3 ) a policy enforcement engine leveraging a policy language like XACML to check the
policy and attributes before access is granted.
Example
You are an employee who typically works from home using a corporately owned laptop. You
request access from your laptop to a server containing network diagrams for a system you
are designing, and access is granted. You also have a personal tablet which you only use for
email via a corporate web site when traveling to a sponsor's location. Since you are traveling
more and more frequently, you request access to the server using the tablet to support your
engineering work. Since the device is personally owned, the host posture attribute is not
satisfied. As a result your network access request from the tablet is denied.
References
• CMMC