CMMC and NIST Demand Proper Information Handling and Sharing Practices for CUI and FCI
With the migration to the Cloud, BYOD, and COVID19 creating a world-wide remote workforce, there truly is no perimeter anymore. Now more than ever, we need a seamless way to adapt our cyber defenses to also look towards the inside and proactively secure data.
For government and defense industry, the solution also has to scale to meet the demands of both the DOD and the critical infrastructure players and map to critical controls laid out in NIST 800-171, 800-53, and CMMC – primarily CMMC Levels 3-5.
How Zero Trust Provides the Key to Success
Extending a Zero Trust approach used for system and application access to file access and sharing ensures compliance with CMMC standards for collaboration of Federal Control Information (FCI) and Controlled Unclassified Information (CUI). Attribute-based access control (ABAC) is a Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access. It uses a data-centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well edit and download files.
This gives agencies granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.