When I read through the CMMC Level 1 Assessment Guide, I noticed that the objectives for AC.1.001 includes a requirement that “processes acting on behalf of authorized users are identified” and that “system access is limited to processes acting on behalf of authorized users”. How do you meet these objectives? Put another way, to truly meet these objectives, do I need to whitelist software at the process level? And how do I demonstrate to an Assessment Team that system access is limited to processes acting on behalf of authorized users? Most malware is designed to circumvent these kinds of process restrictions, such as by acting as a Trojan Horse or injecting malicious code into existing processes. So how do I definitively prove that system access is limited [only] to legitimate processes when even the best tools out there can’t stop unauthorized processes from running?
I don’t think the whitelist is required. I think knowing which accounts are used for what is the key. If you can demonstrate that you know what all accounts are there for and there is a business justification for those accounts, I view that as the spirit of the practice. If an account is used to connect or is “hard coded” or otherwise part of an automated process, I will want to understand what the reason for that is and how to ensure the account is only used for that purpose.