CMMC Practice AC.4.032: Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
This practice adds context about the user and the specific access attempt before network access is granted. First, the organization must identify attributes that are important for managing the risk of remote network access. Then, the administrator restricts remote access based on the state of these attributes. The remote access control mechanism must be enhanced to check the attributes such as the subject’s location, the state of the network (e.g., running services, resources available, traffic statistics, network hosts in the local network and traffic patterns between nodes), host posture, time-of-day, expected behavior associated with the user’s role, and normal behavior for the user based on previous use. All the attributes checked must be within tolerance for the user requesting remote access. The organization is not limited to these attributes or required to use these attributes.
One possible approach could include:
- a policy database or the organization determined access policy;
- an attribute database for subjects, the environment and resources; and
- a policy enforcement engine leveraging a policy language like XACML to check the policy and attributes before access is granted.