CMMC Practice Requirement:
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
CMMC Requirement Explanation:
Establishing and adhering to security engineering principles increases the security of your environment. Requiring system administrators and security staff to follow your company's security principles increases accountability.
Example CMMC Implementation:
NIST Special Publication 800-160 covers the topic of security engineering. It contains a list of "security design principles" of which you need to select some to follow. Document a policy requiring the implementation of the security engineering principles you selected from NIST SP 800-160. Here are a few from NIST SP 800-160 that you can use: "Reduced Complexity: the system design should be as simple and small as possible. A small and simple design will be more understandable, more analyzable, and less prone to error. Least Privilege: each component should be allocated sufficient privileges to accomplish its specified functions, but no more. Trusted Communication Channels: restrict access to communication channels and employ end-to-end protections for the data transmitted over the communication channel. Continuous Protection: all components and data used to enforce the security policy must have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. Accountability and Traceability: it must be possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. Secure Defaults: the default configuration of a system (to include its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. Repeatable and Documented Procedures: the techniques and methods employed to construct a system component should permit the same component to be completely and correctly reconstructed at a later time. Secure System Modification: system modification must maintain system security with respect to the security requirements and risk tolerance of stakeholders. Sufficient Documentation: personnel with responsibility to interact with the system should be provided with adequate documentation and other information such that they contribute to rather than detract from system security. Defense in Depth: security architectures are to be constructed through the application of multiple mechanisms to create a series of barriers to prevent, delay, or deter an attack by an adversary."
- Scenario 1:
A system administrator setup a complex IT environment at a remote office. You notice that he completed the project without creating any meaningful documentation. You remind him of your company's security engineering principles requiring the creation of documentation. In response, the system admin creates the documentation and stores in a location accessible by those who need to reference it.
- Scenario 2:
An IT help desk technician needs to configure a laptop for a new employee who's first day of work is tomorrow. The technician rushes through and only installs Microsoft Office and creates the employee's user account. The technician then provides the laptop to the employee. The technician has violated your company's security engineering principal of "secure defaults". He did not apply the baseline configuration to the system containing your default security settings and anti-virus software.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance