Requirement text: SC.2.179: Use encrypted sessions for the management of network devices.
DISCUSSION FROM SOURCE: CMMC
Management of network devices is a security critical process and needs to have
confidentiality protection and authentication to protect against adversaries trying to gain
information or change the network infrastructure.
Confidentiality protection prevents an adversary from sniffing passwords or configuration
information. Authenticity protection includes, for example, protecting against man-in-the-
middle attacks, session hijacking, and the insertion of false information into communications
sessions. This requirement addresses communications protection at the session versus
packet level (e.g., sessions in service-oriented architectures providing web-based services).
CMMC CLARIFICATION
When an organization connects to and manages network devices, it should use an encrypted
session. The most common encrypted method is a Secure Shell (SSH).
Example
You are an IT administrator for your organization. You are in charge of updating devices on
your network. You access these devices over the network instead of at the device’s physical
location. When you establish a connection to these devices, you use an SSH connection. An
SSH connection protects you. For example, an adversary has installed malware on a network
device. If you use an unencrypted session (i.e., telnet into a device) the adversary can view
your username and password. But, if you use an SSH connection, the adversary cannot see
this information.
References
• CMMC
• CIS Controls v7.1 11.5