CMMC Requirement CM.L3-3.4.2E – Automated Detection & Remediation: Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the components or place the components in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations.
Links to Publicly Available Resources – Coming Soon
This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed.
System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source.
[NIST IR 8011-1] provides guidance on using automation support to assess system configurations
Further Discussion
For this requirement, the organization is required to implement automated tools to help identify misconfigured components. Once under an attacker’s control, the system may be modified in some manner and the automated tool should detect this. Or, if a user performs a manual configuration adjustment, the system will be viewed as misconfigured, and that change should be detected. Another common example is if a component has been offline and not updated, the tool should detect the incorrect configuration. If any of these scenarios occurs, the automated configuration management system (ACMS) will notice a change and can take the system offline, quarantine the system, or send an alert so the component(s) can be manually removed. Quarantining a misconfigured component does not require it to be removed from the network. Quarantining only requires that a temporary limitation be put in place eliminating the component’s ability to process, store, or transmit CUI until it is properly configured. If a component has the potential of disrupting business operations then the OSC should take extra care to ensure configuration updates are properly tested and that components are properly configured and tested before being added to the network. Once one of these actions is accomplished, a system technician may need to manually inspect the system or rebuild it using the baseline configuration. Another option is for an ACMS to make adjustments while the system is running rather than performing an entire rebuild. These adjustments can include replacing configuration files, executable files, scripts, or library files on the fly.