CMMC provides clear instructions on creating a controlled environment that safeguards Controlled Unclassified Information (CUI). So, in the hybrid work world we’re living in, how can you control your remote employee’s environment so they can safely access CUI without violating CMMC requirements?
Read on for more information about whether or not CMMC allows for remote work and how to safely integrate this into your CMMC-conscious cybersecurity processes.
Can DoD Contractors Work Remotely?
Remote work is permitted for Department of Defense (DoD) contractors in accordance with CMMC requirements and NIST 800-171 guidelines. Specifically, Control 3.10.6 requires implementing safeguarding measures for CUI at alternative work sites, including satellite offices, customer sites, and home offices.
It’s important to note that additional controls may be put in place to ensure the protection of CUI while working remotely.
CMMC Remote Access Requirements
Multiple NIST 800-171 controls deal with remote access of CUI. Of course, not all remote employees will need to access CUI outside of the company HQ, but for those that will, these controls are important to review or ensure your organization is fully compliant.
- Control 3.10.6
Enforce safeguarding measures for CUI at alternate work sites.
- Control 3.1.12
Monitor and control remote access sessions.
- Control 3.1.13
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- Control 3.1.14
Route remote access via managed access control points.
- Control 3.5.3
Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- Control 3.13.7
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
Best Practices for Personal Technology
Nowadays, finding someone who doesn’t own a personal smart device is uncommon. Of every cellular device in use today, nearly 77% of them are smartphones. This is important to consider when building your company’s remote access policy.
The National Archives CUI Program Blog outlines steps remote employees should take to protect access further:
- Make sure to change the default username and passwords for all internet-connected devices.
- Make sure you regularly update the firmware on your router, modem, and all connected devices. Many of these updates are pushed out to address known security vulnerabilities. Check with your company’s IT department or your service provider if you aren’t certain of this.
- Turn off and unplug unused devices, and consider disabling or covering cameras when not in use.
- Keep any security software or firewalls updated to the latest version.
Assessing the Risks and Benefits of Remote Work for DoD Contractors
Remote work can bring many benefits to companies, but it is important to consider the additional efforts and safeguards that may be required to ensure compliance with CMMC. If your company’s Department of Defense contracts outweigh the costs of compliance, it may be worthwhile to extend your scope to include remote access. However, with implementation of CMMC 2.0 in May 2023, it is crucial to start planning for compliance now.
SSE is Here to Help
Our experts are trained on the latest DoD requirements and can help assess your remote access and compliance standing. NIST 800-171 is law now and CMMC will be here before we know it. SSE, recognized by the CYBER AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO), will help your organization achieve and manage CMMC compliance.
Schedule a complimentary CMMC Readiness Assessment today to get started!
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.