System And Communications Protection
Isolate administration of organizationally defined high-value critical network infrastructure components and servers.
Where the organization has identified high value critical network infrastructure used in the processing and management of CUI data, they will physically or logically isolate management these systems from their production network, such as through the use of an Out-of-Band network. Access controls are implemented to prevent non-authorized users from accessing the management network and changing the configuration of an infrastructure component processing CUI information. Example 1 You are responsible for security architecture and are asked to build and secure a network enclave to support a large project processing CUI data from two facilities in your organization. The architecture you designed to support this project has a workgroup switch in each location connected to a firewall to the Internet. The management interfaces on the two switches and the firewall are all connected to the Out-of-Band (OOB) management network that is air-gapped from the rest of the company and the Internet. Example 2 You have created VLANs that are used to access the management interface of all the network switches and the servers in the data center. These VLANs are isolated from the rest of the organization’s network so only the network engineers and server administrators can manage these devices from their offices or a Bastion Host server you set up.
CMMC Organizations apply systems security engineering concepts and principles to identify the high value critical network infrastructure components in their network. High value critical systems are those that if compromised could lead to unauthorized access, use, modification or destruction of large amounts of CUI. Examples include boundary protection systems (e.g., routers, firewalls, intrusion protection and detection systems), critical infrastructure servers (e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration applications) Securing administration, the ability to alter the configuration of these components, includes delineating physical and logical security boundaries between the data and management interfaces such as through the use of an Out-of-Band network. NIST Special Publication 800-160 provides guidance on systems security engineering.
CIS Controls v7.1 11.7, 14.1
NIST SP 800-53 Rev 4 SA-8
NIST CSF v1.1 PR.AC-5
CMMC modification of NIST SP 800-171 Rev 1 3.13.2