What the heck are collaborative computing devices?

If you’ve spent any amount of time digging through the NIST 800-171 cybersecurity requirements, you’ve likely thought to yourself, “what the heck does ______ mean?” If so, you’re not alone. And, you’re in luck, as our “What the heck?” blog series was created with you in mind! In our latest post, we explore collaborative computing devices and discuss what they are, why the Department of War (DoW) cares, and how small businesses can meet this requirement as they pursue CMMC certification through safeguarding the Controlled Unclassified Information (CUI) they handle.

So, what are collaborative computing devices?

NIST does not provide a conclusive definition of a collaborative computing device, but they do give some helpful examples we can derive meaning from:

Collaborative computing devices include networked white boards, cameras, and microphones. Indication of use includes signals to users when collaborative computing devices are activated. Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

NIST 800-171 Rev. 2 Control 3.13.12 Discussion

From this, we can infer that collaborative computing devices are hardware or software tools (computing devices) that enable people to work together (collaborate) by capturing or transmitting audio, video, or shared content. “Networked” implies the device is connected to another system, device, or the Internet in a way that allows it to send or receive data. Collaborative computing devices are typically (but not always) found in shared meeting spaces, such as conference rooms, where this technology is helpful for facilitating collaboration, especially among dispersed teams.

Some more specific examples of collaborative computing devices include:

Native workstation (Windows PC or Mac) webcams and microphones
Smart TVs that natively support video conferencing apps (e.g., Samsung, LG, or Vizio)
Digital Internet-connected whiteboards (e.g., Microsoft Surface Hub or Google Jamboard)
Video conferencing systems and webcams (e.g., Logitech Rally, Meeting Owl 3)
Tabletop speaker-microphone bars (e.g., Poly Studio, Jabra, Logitech MeetUp)
Smart kiosks (e.g., ESII Welcome Kiosk)

Understanding the requirements

Now that it’s better understood what may constitute as a collaborative computing device in your environment, we can turn our attention towards safeguarding these devices. There is a single NIST 800-171 control that pertains to collaborative computing devices, SC.L2-3.13.12:

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

NIST 800-171 Control 3.13.12

Of course, this analysis would be incomplete if we did not look at the corresponding NIST 800-171A assessment objectives, of which there are three:

Collaborative computing devices are identified.

NIST 800-171A Assessment Objective 3.13.12[a]

Collaborative computing devices provide indication to users of devices in use.

NIST 800-171A Assessment Objective 3.13.12[b]

Remote activation of collaborative computing devices is prohibited.

NIST 800-171A Assessment Objective 3.13.12[c]

First off, you need to “identify” any collaborative computing devices by creating a list of such devices in your environment, if you have any. This also includes identifying which CMMC Level 2 asset class the collaborative computing device(s) fall under. For example, are the collaborative computing devices intended to process, store, or transmit CUI? If so, they are considered CUI assets and must be secured per the CMMC Level 2 Scoping Guide (ALL NIST 800-171 requirements applied…). Additionally, if these devices are sending CUI to the cloud, you’ll need to be aware of the FedRAMP implications. Or perhaps the collaborative computing devices could process, store, or transmit CUI but are not intended to due to security policy, procedures, and practices in place, and thus are considered Contractor Risk-Managed Assets (CRMA). The bottom line is that “identifying” collaborative computing devices is not just putting them in a list; it’s also considering how/if such devices are used for handling CUI.

Once you’ve identified collaborative computing devices, you’ll need to ensure that the devices give an “indication” when in use. This is typically an LED light that either turns on or flashes a specific color when used. If there is no such indication when in use, you’ll need to acquire a different device that has this capability. The good news is that nowadays most modern types of collaborative computing devices have such indicators already in place.

Lastly, you’ll need to ensure that these devices cannot be remotely activated. In this case, “remote” connections include anything that is not a direct network connection, most common being wireless access (Wi-Fi). Ensure that if any other devices are used to activate the collaborative computing device, it uses a direct (wired) connection to do so. And for those direct connections, ensure there is no additional remote access (e.g. VPN or HTTP web access) to those controlling devices. So, for example, for a Windows PC webcam and microphone, you would ensure the user cannot setup a bluetooth remote control connection to the PC, and that there is no VPN or web access inbound to the PC.

Wrapping up

That’s an overview of collaborative computing devices and what to expect for meeting this requirement. If you’re still confused, consider signing up for our next CMMC Workshop. Or, subscribe to our Totem™ CMMC Planning tool to take advantage of our Subscribers Q&A Forum and get help with your questions. Or, if you have any questions about this blog, CMMC, or anything else, let us know!

Thanks for reading!

-Nathan