High-Point Performance: Cybersecurity Maturity Model Certification (CMMC) Self-Assessment Survey

AC POLICY - ADDITIONAL INFORMATION:
List of authorized users and devices: Is your system set up so that only authorized users, processes, and devices can access the company network? Is System access is limited to the defined types of transactions and functions for authorized users?

Authorized users and devices: Is access for authorized users restricted to those parts of the system explicitly permitted to use? That is, is access denied by default and allowed by exception?

Duty roles: Are the types of transactions and functions authorized users are permitted to execute defined? Do you limit users to only information systems, roles, or applications they are permitted to use and are required for roles and responsibilities?

Access limited to defined roles: Is system access limited to defined types of transactions and functions for authorized users? Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both.

Connections to external systems outside of the assessment scope: Do you control and manage connections between your company network and outside networks? Outside networks could include the public internet, your company’s networks that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that does not belong to your company.

External systems that are permitted to connect to or make use of organizational systems: Have you examined your access control policy; your procedures addressing the use of external systems; and your terms and conditions for external systems? Do external systems include processing, storage, or transmission of FCI, including accessing cloud services?

Methods to ensure authorized connections made to external systems: This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems.

External systems limited, including by policy or physical control: Have you examined the access control policy; procedures addressing the use of external systems; terms and conditions for external systems; system security plan; list of applications accessible from external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents; and other relevant documents or records?

Authorized individuals to post or process information on publicly accessible systems: Are individuals that are authorized to post or process information on publicly accessible systems identified? NOTE: Only government officials can be authorized to publicly release FCI. Do not allow FCI to become public.

Review process before and after posting content on publicly accessible systems: Is a review process in place prior to posting of any content to publicly accessible systems? Are publicly accessible systems reviewed to ensure that it does not include FCI? Are mechanisms are in place to remove and address improper posting of FCI?

Procedures to remove and address improper posting: If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties.