by Neil Shrestha-Birtch and Daniel Park
As help desks and Managed Service Providers (MSPs) face incoming compliance requirements from the CMMC framework, they may turn to Security Technical Implementation Guides (STIGs) to help them achieve compliance and fortify their cybersecurity.
CyberQP Partners can use their Just-in-Time access policies to implement STIGs as part of their cybersecurity strategy, and proactively take steps towards meeting CMMC requirements that call for proper management of privileged access. By combining CyberQP Passwordless Just-in-Time Access and your access policies, you can simplify the process of creating multiple unique accounts manually for each technician.
A Brief Refresher on CMMC and NIST
The Cybersecurity Maturity Model Certification (CMMC) gives defense contractors for the federal government a five-level compliance framework (with Level 1 representing the lowest maturity level, and Level 5 representing the highest) outlined by the United States Department of Defense.
The CMMC framework expands on DFARS 252.204-7012, a previous compliance standard that requires defense contractors handling CUI to comply with the guidelines under NIST 800-171, and offers a way to enforce these requirements, after relying on companies to certify themselves was leading to $600 billion a year in losses due to data breaches, according to a 2019 report.
What Are STIGs?
To help organizations that need to align with NIST standards, the Defense Information Systems Agency (DISA) has released STIGs, a library of technical implementations to help organizations standardize on implementing these best practices. This includes Group Policy Templates to enforce proper access controls across an organization’s environments, including not permitting local logins on non-domain controllers for domain and enterprise admins.
The CyberQP team has read through these technical implementations, and recommends that our partners’ admins use the following policies to meet these requirements:
- AD: Single Domain Administration
- Privilege: Domain Admins
- Policy Name: Domain Admin Policy
- Linked Technician Group: Domain Admin Technicians
- AD: Entire Forest Administration
- Privilege: Enterprise Admins
- Policy Name: Enterprise Admin Policy
- Linked Technician Group: Enterprise Admin Technicians
- LOCAL: Workstation Administration
- Privilege: Administrators
- Policy Name: Workstation Admin Policy
- Linked Technician Group: Workstation Admin Technicians
By using Group Policy Objects (GPO) and User Rights assignments, you can restrict Domain and Enterprise Admins to specific systems, enhancing security by preventing unauthorized access.
How CyberQP’s Privileged JIT Accounts Help IT Teams Align With STIGs
CyberQP’s Privileged Just-in-Time Accounts are designed to help MSPs follow the Principle of Least Privilege, and is prepared to help technician team managers that must align with NIST requirements.
Because our JIT accounts add users from privileged groups for a limited amount of time, and remove them once the time limit expires, CyberQP Partners are equipped to perform multiple tasks with one JIT account, remaining in compliance with cyber insurance eligibility requirements.
For example, if a technician has two tickets in a day, and they need to manage a domain controller in one and a server in another, they can use domain admin privileges for the domain controller ticket, and once those privileges are stripped, they can add their JIT account to the server admin group to work on the server.
Looking Ahead
While CyberQP is prepared to help partners interested in aligning with the STIG controls, we’re also looking ahead for ways to evolve our partners further, and ensure we’re prepared to help them once the United States government is prepared to enforce CMMC requirements. As we continue to improve the Just-in-Time experience for technicians, we’ll be offering pre-built policies to support compliance use cases and adhere to controls, especially for MSPs where technicians are managing everything.
Ready to get started? Book some time with a product specialist to see how we can help you on your compliance journey.