IA.L3-3.5.3E Block Untrusted Assets

CMMC Requirement IA.L3-3.5.3E – Block Untrusted Assets: Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

Links to Publicly Available Resources – Coming Soon

Discussion [NIST SP 800-171 R2]
Identification and authentication of system components and component configurations can be determined, for example, via a cryptographic hash of the component. This is also known as device attestation and known operating state or trust profile. A trust profile based on factors such as the user, authentication method, device type, and physical location is used to make dynamic decisions on authorizations to data of varying types. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt the identification and authentication of other devices.
[NIST IR 8011-1] provides guidance on using automation support to assess system configurations.

Further Discussion
This requirement can be achieved in several ways, such as blocking based on posture assessments, conditional access, or trust profiles. A posture assessment can be used to assess a given system’s posture to validate that it meets the standards set by the organization before allowing it to connect. Conditional access is the set of policies and configurations that control devices receiving access to services and data sources. Conditional access helps an organization build rules that manage security controls, perform blocking, and restrict components. A trust profile is a set of factors that are checked to inform a device that a system can be trusted.