CMMC Requirement AC.L3-3.1.2E – Organizationally Controlled Assets: Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
Links to Publicly Available Resources
Overview of the potential vulnerable attach surfaces for BYOD and techniques to mitigate them. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. This guide is to assist in establishing a BYOD policy, implementation of effective device management solutions, segregation of network resources, critical role of employee education, ongoing monitoring and auditing of IT Services, and regular review and updates to the services. Guidance on how to utilize Microsoft Defender for Cloud Apps when the organizations uses BYOD devices. Microsoft guidance on how to create a device-based Conditional Access policy to enforce security and compliance standards. Guidance from Microsoft on how to restrict access to SharePoint and OneDrive for unmanaged devices.
Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.
Further Discussion
Implementing this requirement ensures that an organization has control over the systems that can connect to organizational assets. This control will allow more effective and efficient application of security policy. The terms “has control over” provides policy for systems that are not owned outright by the organization. Control includes policies, regulations or standards that are enforced on the resource accessing contractor systems. Control may also be exercised through contracts or agreements with the external party. Provisioned includes setting configuration, whether through direct technical means or by policy or agreement. For purposes of this requirement, GFE can be considered provisioned by the OSA.