Access control is one of the fourteen groups of information security requirements specified by the NIST 800-171 standard. The standard aims to set a baseline for controlling access to any sensitive data, and adherence to it is a requirement for any organization that forms part of the Defense Industrial Base (DIB). This is according to the DFARS 252.204-7012 clause, which has been included in DoD contracts since 2017.
What is access control?
Access control plays a central role in information security, since it governs who has access to sensitive information. In the case of DFARS 252.204-7012 compliance, access controls must cover all potentially sensitive information pertaining to the US Department of Defense.
To effectively protect your data, it is essential to implement a comprehensive policy and a way to enforce it reliably. Access control serves to verify who users say they are before they can access sensitive data. While policy determines who should have access to what, enforcement is typically addressed by modern authentication methods such as multifactor authentication.
There are many ways of applying access controls. For example, mandatory access controls are regulated by a centralized authority that deploys multiple layers of security. Other models include role- or rule-based access controls, which are typically used for enforcing mandatory access control.
Here are main ways you can evaluate and improve the effectiveness of your existing access controls:
Related article: A Guide to Understanding DFARS Requirements
Distributed IT environments
Most organizations today have highly complex IT environments distributed across a blend of in-house systems and private, public, and hybrid cloud architectures. Data is collected, stored, and transmitted across myriad systems and between an ever-increasing number of endpoints. This poses significant challenges when it comes to applying and enforcing access controls.
When employees have to log into multiple different systems just to do their jobs, there is a real risk of password fatigue, which can hinder productivity and, in worst-case scenarios, promote lax security practices. To counter these challenges, organizations need to take an integrated approach to password and login management.
If your current access controls are not uniform across the organization and its systems, many risks could arise. Some of these might only seem like a matter of inconvenience, such as the need to remember multiple sets of login details. However, it may also encourage employees to reuse passwords across systems, which can severely compromise access control.
Information security has long centered around passwords, but now the average person has to remember dozens of different sets of login methods for different systems. Therefore, there is a widespread tendency to reuse passwords, thus compromising the effectiveness of access controls. Furthermore, passwords are inherently vulnerable to social engineering attacks.
While having a strong password policy remains important, passwords by themselves are not a satisfactory access control measure. Instead, there needs to be an additional authentication layer, especially in the case of systems that store or transmit sensitive information. Multifactor authentication combines two or more measures to verify that a user is who they say they are.
Related article: Cybersecurity in 2021: Charles IT’s Top 6 Recommendations
Applying and enforcing multifactor authentication is very effective, since it is extremely unlikely that an attacker will be able to get their hands on all the information required to verify a user’s identity. However, it can also place an additional burden on employees. This is why it should ideally be combined with a single sign-on (SSO) to unify all logins under a single system.
Monitoring and reporting
Even implementing the most robust access controls possible means little if there is a lack of comprehensive monitoring and reporting. Compliance with DFARS 252.204-7012, according to the NIST 800-171 standard, requires that administrators have complete visibility into their security environments with consistent monitoring and reporting.
Reporting and monitoring applications should cover your entire computing architecture, and it is much easier to maintain visibility into who has access to what and when if you take a unified approach. In other words, every user account for every system should ideally be monitored by a single system that works around the clock and sends alerts if it detects anomalous behavior.
For example, an alert might be triggered if someone attempts to log into from an unrecognized device or location. Even if multifactor authentication can mitigate such actions, comprehensive monitoring and reporting ensures administrators have complete oversight over user activity. This allows them to clamp down on potential attacks before they become serious problems.
Charles IT thoroughly assesses your existing security and compliance architecture by starting with a comprehensive analysis and providing the services and expertise necessary to maintain compliance with DFARS 252.204-7012. Contact us today to schedule your assessment.