System Security Plan — Excerpt
Prepared in accordance with NIST SP 800-171 Rev. 2 for CMMC Level 2 self-assessment
AC.L2-3.1.1 — Authorized Access Control
Family: Access Control
Requirement. Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
The organization implements access control by maintaining an authoritative list of approved users and system accounts documented in a shared Microsoft 365 SharePoint site that is reviewed and updated quarterly by the system owner and information security officer. All Windows endpoints are configured to require Active Directory domain membership and multi-factor authentication via Azure AD for remote access, ensuring that only personnel with a valid business need and documented approval can log into systems containing controlled unclassified information (CUI). Local administrator accounts are disabled on all endpoints except for designated system administrators whose activities are logged and audited monthly. The organization's network firewall and switches are configured to restrict inbound and outbound connections to approved IP addresses and ports only, preventing unauthorized devices from connecting to the network. Service accounts used by automated processes such as backup utilities and file synchronization tools are created with the principle of least privilege, granted only the minimum permissions required to perform their specific function, and their credentials are stored securely in Microsoft 365 Vault. A quarterly access review is conducted where managers certify that all active accounts and device permissions remain appropriate for their users' current roles, and any accounts or devices that are no longer required are promptly disabled and removed from network resources. All access grants and revocations are documented in the organization's access control log with the date, approver name, and business justification, creating an auditable record of who is authorized to access what systems.
IA.L2-3.5.3 — Multifactor Authentication
Family: Identification and Authentication
Requirement. Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Our organization implements multifactor authentication (MFA) across all privileged and non-privileged network access by leveraging Microsoft 365's built-in capabilities and Azure Active Directory conditional access policies. All privileged accounts, including domain administrators, system administrators, and accounts with access to controlled unclassified information (CUI), are required to use MFA via the Microsoft Authenticator app or hardware security keys when authenticating to on-premises Active Directory and cloud services; we have configured Azure AD to enforce MFA for these accounts through conditional access rules that trigger on any sign-in attempt. For non-privileged accounts accessing our network remotely or through cloud services, we have enabled MFA through our Microsoft 365 tenant-wide conditional access policy that requires either the Authenticator app, SMS, or email verification for network access, with the policy specifically targeting all users attempting to access email, SharePoint, Teams, and other cloud resources where CUI may be stored or transmitted. Locally, we have implemented Windows Hello for Business on domain-joined endpoints as an alternative strong authentication method that satisfies MFA requirements for privileged users logging into workstations, while also maintaining the option for traditional username-password-plus-MFA for non-privileged local access. All MFA events are logged through Azure AD audit logs and Windows Security Event Log, with logs retained for a minimum of one year to support audit and incident response activities. We perform quarterly reviews of MFA enrollment and bypass exceptions to ensure continued compliance, and we document any exceptions to the requirement in our access control procedures with appropriate management approval.
IR.L2-3.6.1 — Incident Handling
Family: Incident Response
Requirement. Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Our organization establishes incident-handling capability through a documented Incident Response Plan that defines roles, responsibilities, and procedures across all six required phases: preparation is addressed through annual security awareness training for all employees and maintenance of an updated inventory of critical systems and data flows; detection occurs via Windows Defender alerts, Microsoft 365 security alerts, and user reporting through our designated incident reporting email (incidents@company.com); analysis is performed by our IT manager and security lead who document findings in a central incident log maintained in a password-protected shared drive; containment actions such as isolating affected systems from the network, resetting credentials, or disabling accounts are executed immediately upon confirmation of a security event; recovery involves restoring systems from tested backups maintained on separate storage and validating system functionality before returning to production; and user response includes notifying affected employees of breaches involving their data per our notification procedures and providing guidance on protective actions such as password changes or credit monitoring. Our Incident Response Plan is reviewed and tested annually through tabletop exercises, and all personnel with incident-handling responsibilities receive training on their specific duties during the annual security training cycle; incidents are logged with date, time, nature of the incident, systems affected, actions taken, and lessons learned to enable continuous improvement of our incident response capabilities.