SI.L3-3.14.3e
-
Requirement
Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test equipment are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.
-
Discussion
Organizations may have a variety of systems and system components in their inventory, including Information Technology (IT), Internet of Things (IoT), Operational Technology (OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT significantly increases the attack surface of organizations and provides attack vectors that are challenging to address. Compromised IoT, OT, and IIoT system components can serve as launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and IIoT system components can store, transmit, or process CUI (e.g., specifications or parameters for objects manufactured in support of critical programs). Most of the current generation of IoT, OT, and IIoT system components are not designed with security as a foundational property and may not be able to be configured to support security functionality. Connections to and from such system components are generally not encrypted, do not provide the necessary authentication, are not monitored, and are not logged. Therefore, these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security capabilities may be addressed by employing intermediary system components that can provide encryption, authentication, security scanning, and logging capabilitiesā€”thus, preventing the components from being accessible from the Internet. However, such mitigation options are not always available or practicable. The situation is further complicated because some of the IoT, OT, and IIoT devices may be needed for essential missions and business functions. In those instances, it is necessary for such devices to be isolated from the Internet to reduce the susceptibility to cyber-attacks.
[NIST SP 800-160-1] provides guidance on security engineering practices and security design concepts.
-
Further Discussion
Specialized Assets are addressed in the scoping guidance, which should be overlaid on this requirement. The OSC must document Specialized Assets in the asset inventory; develop, document, and periodically update system security plans; and include Specialized Assets in the network diagram. The Specialized Asset section of the SSP should describe associated system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Specialized Assets within the Level 3 CMMC assessment scope must be either assessed against all CMMC requirements or separated into purpose-specific networks. Specialized Assets may have limitations on the application of certain security requirements. To accommodate such issues, the SSP should describe any mitigations.
Intermediary devices are permitted to mitigate an inability for the asset itself to implement one or more CMMC requirements.
The high-level list of Specialized Assets includes:
- Government Furnished Equipment;
- IoT and IIoT devices (physical or virtual) with sensing/actuation capability and programmability features;
- OT used in manufacturing systems, industrial control systems (ICS), or supervisory control and data acquisition (SCADA) systems;
- Restricted Information Systems, which can include systems and IT components that are configured based on government requirements; and
- Test equipment.
Example
You are responsible for information security in your organization, which processes CUI on the network, and this same network includes GFE for which the configuration is mandated by the government. The GFE is needed to process CUI information [a]. Because the company cannot manage the configuration of the GFE, it has been augmented by placing a bastion host between it and the network. The bastion host meets the requirements that the GFE cannot, and is used to send CUI files to and from the GFE for processing. You and your security team document in the SSP all of the GFE to include GFE connectivity diagrams, a description of the isolation mechanism, and a description of how your organization manages risk associated with that GFE [a].
Potential Assessment Considerations
- Has the organization documented all specialized assets in asset inventory [a]?
- Has the organization documented all specialized assets in the SSP to show how risk is managed [b]?
- Has the organization provided a network diagram for specialized assets [a,b]?
NIST 800-172A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!