SC.2.179

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

2

800-171 Control #

N/A

CMMC Description

Use encrypted sessions for the management of network devices.

CMMC Clarification

When an organization connects to and manages network devices, it should use an encrypted session. The most common encrypted method is a Secure Shell (SSH). Example You are an IT administrator for your organization. You are in charge of updating devices on your network. You access these devices over the network instead of at the device’s physical location. When you establish a connection to these devices, you use an SSH connection. An SSH connection protects you. For example, an adversary has installed malware on a network device. If you use an unencrypted session (i.e., telnet into a device) the adversary can view your username and password. But, if you use an SSH connection, the adversary cannot see this information.

800-171 Description

800-171 Discussion

N/A

Other Source Discussion

CMMC Management of network devices is a security critical process and needs to have confidentiality protection and authentication to protect against adversaries trying to gain information or change the network infrastructure. Confidentiality protection prevents an adversary from sniffing passwords or configuration information. Authenticity protection includes, for example, protecting against man-in-themiddle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services).

CIS Control References

CIS Controls v7.1 11.5

NIST 800-53 Control Ref.

CMMC Derived

CMMC

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

SC.2.179.[a] the organization has one or more policies and/or procedures for establishing connections to manage network devices; and

Assessment Sub-Criteria 2

SC.2.179.[b] the tools used for establishing remote connections to network devices use encryption.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15