Can your employees work remote and still achieve CMMC compliance? Five years after the COVID-19 pandemic, remote work has become a staple in many organizations. Employees can log in from anywhere in the world, from the comfort of their own home, and accomplish the same tasks they could in the office. However, this convenience comes with its own security risks. Organizations' attack surfaces drastically increase as more and more unregulated personal devices are given access to private data. With the lack of security protocols, monitoring, and updating policies, cyber criminals will have a significantly easier time accessing and stealing sensitive information. Ensuring that your remote workers are secure is especially important if you are a Department of Defense (DoD) contractor, with obligations to comply with CMMC requirements. This blog will outline how remote work and BYOD practices can work in tandem with CMMC compliance requirements.
What are the CMMC Requirements?
The Cybersecurity Maturity Model Certification (CMMC) was developed to validate that defense contractors are protecting controlled unclassified information (CUI) or federal contract information (FCI).
The CMMC model is divided into three levels:
- Level 1 (Foundational): This level is applicable for organizations that handle FCI. The controls listed in level 1 are primarily concerned with basic cyber hygiene practices. It is made up of 17 practices that requires an annual self-attestation.
- Level 2 (Advanced): Any organization that stores, transmits, or creates, CUI must comply with level 2. This level contains 110 objectives that are based on NIST SP 800-171. This level requires contractors to undergo a triannual third-party assessment.
- Level 3 (Expert): The final level of CMMC contains all the previous requirements in addition to several more advanced ones. This level will require a third-party assessment conducted by the DoD.
CMMC requires that devices or assets that handle CUI are secured, monitored, and consistently updated. But how can organizations accomplish this with remote devices that may be personally owned by an employee?
The Unique Risks of Remote Work
There are many vulnerabilities that are unique to employees that work from home.
Several of them include:
- Home Networks: Users may be logging in and accessing sensitive data from an insecure home network. These networks may not have the necessary security policies in place to protect CUI and other sensitive data. With other family members potentially using the same network, monitoring and catching malicious traffic becomes much more difficult.
- Personal Devices: Users may access important business assets through their own phones, tablets, laptops, or desktops. Are these devices equipped with the same security applications as their PCs in the office? Probably not. What happens if a device is lost or stolen? These are some of the concerns that come with using a personal device to access CUI.
- Social Engineering/Phishing: When checking emails in the office, employees may be much more cognizant of phishing emails and social engineering. However, at home these same users may be less vigilant about downloading files or clicking on links.
Remote Work Concerns and CMMC
Privacy Concerns
One of the first obstacles your organization will run into is how to balance the relationship between an employee's right to privacy on their personal device and the need for stringent monitoring and access controls. Any device that accesses CUI, even personal ones, is subject to the regulations defined by CMMC and must implement the necessary controls to be considered compliant. For example, an organization must "create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity". This can be a major point of contention between the user and your organization as many employees will be wary of their employer monitoring their personal devices. However, this is a nonnegotiable for CMMC compliance.
Security Configurations
Your organization will need to configure the security settings of any device that is within scope of CMMC requirements. Certain device parameters must be put in place to ensure the protection of CUI including limiting what operating systems and apps can be downloaded, enforcing password policies, ensuring FIPS-validated cryptography is used. These configurations cause concern for end users by limiting performance or usability.
Physical Security
Even at home, ensuring the physical security of devices that work on CUI is required. The device that is in scope must be physically secured by means of locked rooms or cabinets to protect sensitive documents. A user must also consider the physical arrangement of the office space. Is the employees desk positioned in a way that would allow for shoulder surfing? Is it in view of a window looking outside? You must establish guidelines for how CUI is handled including printing, storage, and destruction of sensitive information. While these restrictions may seem overly precautious, they are required to effectively implement CMMC requirements.
Home Networks
All connections to the main office or data center must be secured and encrypted to ensure that threat actors are not able to access CUI in transit. If you employees are not using a VPN and CUI is being transmitted through their home network, it would be considered in scope and would have to be monitored and restricted. To avoid data privacy concerns, have users connect through a VDI or VPN.
Is Remote Work Possible Under CMMC?
Yes, remote work is possible even under CMMC requirements. However, additional measures are necessary to ensure Controlled Unclassified Information (CUI) remains protected both inside and outside the office.
Several strategies can support secure remote work while addressing associated compliance concerns. One of the most straightforward approaches is to prohibit the use of personal devices by any user who interacts with CUI and instead issue company-owned devices that are fully monitored and managed. This not only strengthens security but also helps employees maintain a clear separation between personal and work devices. While this option may incur higher costs, it offers greater control over systems within the scope of CMMC. Alternatively, if personal devices are permitted, users must access CUI through a secure Virtual Desktop Infrastructure (VDI) to maintain adequate separation and reduce risk.
CorpInfoTech, a Certified CMMC Implementation Partner
CorpInfoTech is a CMMC level 2 certified (C3PAO) MSP that offers IT, cybersecurity, and CMMC compliance solutions to SMBs working within the DIB. Through TAS for CMMC Compliance, contractors inherit 200+ of the 320 assessment objectives required by CMMC. This makes achieving and maintaining compliance faster, more efficient, and offers greater confidence in your ability to pass an audit. We offer fully or co-managed compliance services for on-site technologies making us the most flexible compliance solution. We understand that every organization is structured differently, and our services adapt to your unique compliance needs.
Start Your CMMC Journey with CorpInfoTech
Contact CorpInfoTech today and learn more about how TAS for CMMC Compliance can benefit your organization!
