Control Public Information Control information posted or processed on publicly accessible information Systems. Scrub websites and publicly facing information to make sure no private information is posted publicly Example Your company decides to start issuing press releases about its projects in an effort to reach more potential customers. Your company receives FCI from the government […]
System & File ScanningPerform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.Scan storage and information systems for malware as well as any files from external sources. ExampleYou work with your company’s email provider to enable enhanced protections that will scan all attachments
Public-Access System SeparationImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Divide what devices are on what network and system. Manufacturing equipment should be on its own network, so should office, guest networks, and web servers. ExampleThe head of recruiting at your company wants to launch a website
Manage Physical AccessControl and manage physical access devices. References-ANSI/ISA-62443-3-2-2020 4.7.3-4.7.5 -NIST SP 800-171r2 3.10.5https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf -NIST SP 800-82r3 2.3.6https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
Physical Access LogsMaintain audit logs of physical access. Have a log of who accesses what areas and devices in case of failure of unauthorized access. Example You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company has just signed a contract with the
Escort VisitorsEscort visitors and monitor visitor activity. Any non-employee must be monitored with an authorized employee at all times. ExampleComing back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the
Limit Physical AccessLimit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.Use fences, walls, barriers to prevent unauthorized access to an area. Make sure the people with physical access to machines need to have access to complete their job. An office worker does not need access to a fennec
Media Disposal Sanitize or destroy information system media containing FederalContract Information before disposal or release for reuse.Any old storage devices, hard drives, flash drives, SSDs, or computers are properly and entirely destroyed to prevent the disclosure of information. Example As you pack for an office move, you find some old CDs in a file cabinet.
IdentificationIdentify information system users, processes acting on behalf of users, or devices. CMMC ModelCybersecurity Maturity Model Certification (CMMC) Model Overview | Version 2.0 10References-ANSI/ISA-62443-4-1-2018 page 55-NIST SP 800-171r2 3.5.1https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf-NIST SP 800-53 3.7 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
AuthenticationAuthenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Have a method in which users have to prove who they are to access something. If someone wants to change the way a machine works require a password, fingerprint scan, or keycard to verify.
