How Okta Can Help Meet CMMC Identity and Access Management Requirements
If your organization provides products or services to the U.S. Department of Defense either as a prime contractor or a subcontractor, then you’ve probably heard a lot about CMMC lately.
In this post, I’ll provide some background about what CMMC is and share a breakdown of how using Okta can help your organization meet specific controls required by CMMC.
What is the CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified framework released by the Department of Defense that outlines cybersecurity requirements for organizations that contract, subcontract, or work within the defense industrial base (DIB). The certification is made up of 5 maturity levels across 17 capability domains encompassing 43 capabilities. These elements are derived from the [Defense] Federal Acquisition Regulation Supplement (FARS/DFARS) - Controlled Unclassified Information (CUI) regulation and NIST SP 800-171.
The purpose of the CMMC is to establish clear technical and operational parameters for contractors that handle sensitive government information and serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
Organizations contracting within the defense industry will need to adequately meet the technical requirements outlined in CMMC.
How Okta can help
Okta provides its customers with access control, auditing, accountability, identification, and authentication tools that can help them meet CMMC requirements (See the DFARS Interim Rule presented here).
See the below table for information on key CMMC controls within these categories, as well as details around how Okta helps customers meet these requirements.
Please Note: The Control column contains blank gray areas in which there are no established requirements for that particular CMMC level. Please review all CMMC levels to determine where the system is compliant.
CMMC Level 1 |
CMMC Level 2 |
|||
---|---|---|---|---|
Control |
Control Description |
How Okta can Help |
Control Description |
How Okta Can Help |
Access Control |
||||
C001 Establish system access requirements |
AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
Okta offers sophisticated lifecycle entitlement management that can help organizations manage the right level of access to the right applications through a set of centrally managed policies. Administrators can easily set access and entitlement rules based on attributes, such as user group membership. Okta provides visibility into who has access to what data via simple access governance that offers the ability to see all users who have access to specific applications.
|
AC.2.005 |
The Okta customer portal offers the ability to configure an access banner and notification through the Okta Admin panel for when the Technical Operations administrator attempts to SSH into the associated IDaaS production infrastructure host(s). |
C002 Control internal system access |
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
Privileged users can be placed into a group, and control around accounts and resources can be provided within this group. Defined users can be assigned to established groups and be provided access to applications and services by group. |
AC.2.007 AC.2.008 AC.2.009 AC.2.010 AC.2.011 |
Privileged users can be placed into a group, and control around accounts and resources can be provided within this group. Defined users can be assigned to established groups and provided access to applications and services by group. Okta’s Single Sign-On (SSO) and Multi-Factor Authentication (MFA) solutions allow IT admins to manage unsuccessful log-on attempts in accordance with the organization's policy. |
C003 Control remote system access |
AC.2.013 AC.2.015 |
Okta’s IAM and MFA solutions offer a non-disruptive, non-intrusive, easily integrated solution that works with your Virtual Private Network (VPN), Remote Desktop Protocol (RDP), and Secure Shell (SSH). Okta’s IAM maintains logs for monitoring and the ability for initial access with MFA for remote sessions. |
||
C004 Limit data access to authorized users and processes |
AC.1.003 AC.1.004 |
Okta’s SSO and MFA solutions can verify and control connections to external systems. While customers are responsible for managing the disclosure of their own sensitive information, Okta's internal Corporate Communications team reviews all content on the Okta public website quarterly to ensure nonpublic information is not posted. |
AC.2.016 |
The flow of information within Okta information systems and between interconnected systems (as applicable) is enforced via approved authorizations configured on the principle of least privilege. As a result, there must be a legitimate business need, and access is further limited to the least amount of privilege necessary to complete the required task. |
Auditing and Accountability |
||||
C007 Define audit requirements |
AU.2.041 |
The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. Okta requires unique User IDs assigned to individuals. Okta uses system clocks to generate audit logs. Okta system clocks are synchronized using NIST Time Protocol (NTP) servers with the AWS Stratum 1 time source and can be mapped to UTC. Clock synchronization is configured with Chef recipes to ensure that system clocks are checked at least hourly and maintain minimal drift. |
||
C008 Perform auditing |
AU.2.043 |
|||
C009 Identify and protect audit information |
||||
C010 Review and manage audit logs |
||||
Identification and Authentication |
||||
C015 Grant access to authenticated entities |
IA.1.076 Identify information system users, processes acting on behalf of users, or devices. |
Okta’s identity-led security framework can help organizations with their IAM control challenges by centralizing identity integration with Active Directory and LDAP to verify and manage users accessing corporate resources. |
IA.2.078 |
Okta’s centralized management console allows IT professionals to adjust password lengths and complexities and update schedules in keeping with current NIST guidelines. |
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
Policy guidance is set by the organization, but Okta’s flexible policy framework allows for step-up authentication to verify users before they access accounts and services using Okta’s SSO and MFA. | IA.2.079 Prohibit password reuse for a specified number of generations. |
Password policies can be established to ensure a user does not match previous passwords in accordance with the organization's policy guidance. Using common password detection can help you meet compliance guidelines by detecting and preventing users from defining weak or breached passwords. | |
IA.2.080 Allow temporary password use for system logons with an immediate change to a permanent password. |
Okta provides customers with the ability to set strong password policies supported by MFA. The customer is responsible for setting up unique IDs and passwords for all users of the IDaaS front-end portal, as well as creating and maintaining the policies and procedures for the creation, modification and deletion of all user identification and authentication credentials. |
|||
IA.2.081 Store and transmit only cryptographically-protected passwords. |
While Okta stores and transmits only cryptographically-protected passwords, customers are responsible for doing the same to meet this requirement. | |||
IA.2.082 Obscure feedback of authentication information. |
Authentication to the management console requires an associated IAM account. When entering the associated password into IAM, only bullets are displayed on the screen, obscuring the authenticator feedback. |
To learn more about how Okta can help your organization meet CMMC requirements, contact us here.
While this article discusses certain legal concepts, it does not constitute legal advice. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.