Back to Control Explorer
SC.4.228
Content
Control Acronym
SC
Family
System And Communications Protection
CMMC Level
4
800-171 Control #
N/A
CMMC Description
Isolate administration of organizationally defined high-value critical network infrastructure components and servers.
CMMC Clarification
Where the organization has identified high value critical network infrastructure used in the processing and management of CUI data, they will physically or logically isolate management these systems from their production network, such as through the use of an Out-of-Band network. Access controls are implemented to prevent non-authorized users from accessing the management network and changing the configuration of an infrastructure component processing CUI information. Example 1 You are responsible for security architecture and are asked to build and secure a network enclave to support a large project processing CUI data from two facilities in your organization. The architecture you designed to support this project has a workgroup switch in each location connected to a firewall to the Internet. The management interfaces on the two switches and the firewall are all connected to the Out-of-Band (OOB) management network that is air-gapped from the rest of the company and the Internet. Example 2 You have created VLANs that are used to access the management interface of all the network switches and the servers in the data center. These VLANs are isolated from the rest of the organization’s network so only the network engineers and server administrators can manage these devices from their offices or a Bastion Host server you set up.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
CMMC Organizations apply systems security engineering concepts and principles to identify the high value critical network infrastructure components in their network. High value critical systems are those that if compromised could lead to unauthorized access, use, modification or destruction of large amounts of CUI. Examples include boundary protection systems (e.g., routers, firewalls, intrusion protection and detection systems), critical infrastructure servers (e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration applications) Securing administration, the ability to alter the configuration of these components, includes delineating physical and logical security boundaries between the data and management interfaces such as through the use of an Out-of-Band network. NIST Special Publication 800-160 provides guidance on systems security engineering.
CIS Control References
CIS Controls v7.1 11.7, 14.1
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SA-8
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.AC-5
CERT RMM Reference
Modification of NIST 800-171B Reference
CMMC modification of NIST SP 800-171 Rev 1 3.13.2