CMMC SC.4.228 - Isolate Administration of High-Value Systems

CMMC SC.4.228 - Isolate Administration of High-Value Systems

Requirement text: SC.4.228: Isolate administration of organizationally defined high-value critical
network infrastructure components and servers.

DISCUSSION FROM SOURCE: CMMC
Organizations apply systems security engineering concepts and principles to identify the
high value critical network infrastructure components in their network. High value critical
systems are those that if compromised could lead to unauthorized access, use, modification
or destruction of large amounts of CUI. Examples include boundary protection systems (e.g.,
routers, firewalls, intrusion protection and detection systems), critical infrastructure servers
(e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration
applications) Securing administration, the ability to alter the configuration of these
components, includes delineating physical and logical security boundaries between the data
and management interfaces such as through the use of an Out-of-Band network.

NIST Special Publication 800-160 provides guidance on systems security engineering.

CMMC CLARIFICATION
Where the organization has identified high value critical network infrastructure used in the
processing and management of CUI data, they will physically or logically isolate management
these systems from their production network, such as through the use of an Out-of-Band
network. Access controls are implemented to prevent non-authorized users from accessing
the management network and changing the configuration of an infrastructure component
processing CUI information.

Example 1
You are responsible for security architecture and are asked to build and secure a network
enclave to support a large project processing CUI data from two facilities in your
organization. The architecture you designed to support this project has a workgroup switch
in each location connected to a firewall to the Internet. The management interfaces on the
two switches and the firewall are all connected to the Out-of-Band (OOB) management
network that is air-gapped from the rest of the company and the Internet.

Example 2
You have created VLANs that are used to access the management interface of all the network
switches and the servers in the data center. These VLANs are isolated from the rest of the
organization’s network so only the network engineers and server administrators can
manage these devices from their offices or a Bastion Host server you set up.

References
• CMMC modification of NIST SP 800-171 Rev 1 3.13.2
• CIS Controls v7.1 11.7, 14.1
• NIST CSF v1.1 PR.AC-5
• NIST SP 800-53 Rev 4 SA-8

    • Related Articles

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...

    • CMMC SC.1.176 – Segment Systems and Networks

      Requirement text: SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Subnetworks that are physically or ...

    • CMMC SC.5.198 - Configure Monitoring Systems to Record Network Packets

      Requirement text: SC.5.198: Configure monitoring systems to record packets passing through the organization's Internet network boundaries and other organizational-defined boundaries. DISCUSSION FROM SOURCE: CIS CONTROLS V7.1 Configure monitoring ...

    • CMMC AM.4.226 - Discover Systems on Network

      Requirement text: AM.4.226: Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. DISCUSSION FROM SOURCE: CMMC Organizations employ systems that can assess ...

    • CMMC SC.3.181 - Separate User Functionality from System Management Functionality

      Requirement text: SC.3.181: Separate user functionality from system management functionality. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System management functionality includes functions necessary to administer databases, network components, ...