IA.L3-3.5.3e Block Untrusted Assets
Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
Source: NIST SP 800-172 3.5.3e
Discussion: Identification and authentication of system components and component configurations can be determined, for example, via a cryptographic hash of the component. This is also known as device attestation and known operating state or trust profile. A trust profile based on factors such as the user, authentication method, device type, and physical location is used to make dynamic decisions on authorizations to data of varying types. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt the identification and authentication of other devices. [IR 8011-1] provides guidance on using automation support to assess system configurations.
Assessment Objectives:
Determine if:
- [a] System components that are known, authenticated, in a properly configured state, or in a trust profile are identified;
- [b] Automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified; and
- [c] Automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
Examine: [SELECT FROM: Configuration management policy; identification and authentication policy; system and information integrity policy; procedures addressing system component inventory; procedures addressing device identification and authentication; procedures addressing device configuration management; procedures addressing system monitoring tools and techniques; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; system inventory records; configuration management records; system monitoring records; alerts/notifications of unauthorized components within the system; change control records; system audit records; system monitoring tools and techniques documentation; documented authorization/approval of network services; notifications or alerts of unauthorized network services; system monitoring logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for managing the mechanisms implementing unauthorized system component detection; organizational personnel responsible for device identification and authentication; organizational personnel responsible for information security; organizational personnel responsible for installing, configuring, and/or maintaining the system; system/network administrators; organizational personnel responsible for monitoring the system; system developers].
Test: [SELECT FROM: Mechanisms implementing the detection of unauthorized system components; mechanisms supporting and/or implementing a device identification and authentication capability; mechanisms for providing alerts; mechanisms supporting and/or implementing configuration management; cryptographic mechanisms supporting device attestation; mechanisms supporting and/or implementing a system monitoring capability; mechanisms for auditing network services].
SPRS Score: 1
POA&M Allowed: Yes