For the last two years, many Defense Industrial Base (DIB) members have grown accustomed to working remotely. However, with the rapidly approaching Cybersecurity Maturity Model Certification (CMMC), many are wondering if they can continue to work remotely and still protect Controlled Unclassified Information (CUI). In this blog, we will address this important issue, and we will give you some considerations for including remote work in your CMMC-compliant cybersecurity program.
So, will CMMC let me work remotely?
In short, the answer to whether or not a CMMC-compliant cybersecurity program can include remote work is yes. However, if your organization allows remote work, you must know that you will have some work to do to prepare for CMMC and ensure that you are adequately safeguarding Controlled Unclassified Information (CUI) within your remote environment. NIST 800-171, the framework against which CMMC assesses for those handling CUI, has clear requirements for both remote work as well as remote access. We’ll explore those requirements in this post.
Remote work takes place at an alternate work site – i.e., outside of the company headquarters, if one even exists. This could include satellite offices, customer sites, home offices, or perhaps on the road while traveling. NIST 800-171 has one primary control for performing work at an alternate work site:
|3.10.6||Enforce safeguarding measures for CUI at alternate work sites.|
So, if you want to work remotely, you’ll need to ensure that the site is approved by your organization, and that it has been “secured” to handle CUI, should you come into contact with it. First, this starts with implementing the proper physical protections at the alternate work site, such as:
- Only accessing company resources from a company-provided workstation, or a hardened “bring-your-own-device” workstation that has been inspected and approved by management
- Maintaining positive control of the company resources at all times; for example, preventing non-company-staff (including family members) from accessing the resources. If the resources store Federal Contract Information (FCI) or CUI, ensure the device is locked in an office or file cabinet when not in use
In addition to physical protections, you also must implement digital protections for securing the alternate work site, such as:
- Only accessing resources from a secured non-public network connection
- Home users managing their own home network routers and not connecting directly to ISP-supplied routers
- Only accessing company resources through approved remote access points (see discussion on Control 3.1.14 below)
These protections must be clearly documented in your IT Acceptable Use Policy (AUP), which your users must be trained on and agree to abide by before beginning their work.
Overview of the CMMC remote access requirements
Once the alternate work site has been secured, the attention now shifts to securing remote access of CUI. Understandably, not all users will need remote access to CUI, but most likely will. There are five NIST 800-171 controls that primarily deal with remote access:
|3.1.12||Monitor and control remote access sessions.|
|3.1.13||Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.|
Route remote access via managed access control points.
|3.5.3||Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.|
|3.13.7||Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).|
The first control, 3.1.12, requires a monitoring and controlling capability for any remote connections. The most popular remote access sessions that we have seen among our clients are Virtual Private Network (VPN) connections made between a VPN client and the company VPN gateway. For example. if an employee works remotely but needs to access the company file server to perform his/her job, a VPN connection between the remote (client) workstation and the VPN gateway device would be needed. Additionally, we have seen some IT Managed Service Providers (MSPs) use tools to perform remote troubleshooting. They may not be able to perform their tasks on-site all the time, which means that they will perform this work using a remote access session.
These are both very common scenarios that we have seen, and they certainly have a place in many DIB members’ day-to-day operations, but they must fulfill the remote access monitoring and controlling requirements in order to be sufficient for CMMC. To control a remote access session means to “lock it down”; ensure that the right encryption is being used (e.g., FIPS-validated encryption – see description on control 3.1.13 below), that these sessions are being routed properly (see description on control 3.1.14 below), that the VPN client and gateway have undergone adequate system hardening, and that multi-factor authentication (MFA) is in place for all network-based access to CUI (see description on control 3.5.3 below). To monitor remote access sessions means to collect and analyze the event logs and network traffic from these sessions and review them in real-time for suspicious activity. Most of our clients meet this requirement by partnering with a Managed Security Service Provider (MSSP), who will have a Security Incident and Event Management (SIEM) tool that collects and analyzes these logs. If suspicious activity takes place, the MSSP will alert the client and potentially assist them with incident response.
The second control, 3.1.13, requires remote access sessions be protected using adequate encryption. The standard is FIPS 140-2 validation for all remote access sessions where CUI is shared, and FIPS-approved for remote access where CUI is not shared. Side note: be wary of the difference between FIPS-validated and FIPS-approved/compliant. Many vendors out there will claim that their product is FIPS-approved or FIPS-compliant, but this is not the same as being FIPS-validated, as FIPS-validation is only assigned upon NIST testing and validating the product in a laboratory. Do not use products (including password managers) that can’t provide FIPS-validated encryption for protecting CUI, whether across remote access sessions or on a local network. We recommend checking NIST’s Cryptographic Module Validation Program (CMVP) for vendors and products which are FIPS-validated.
By the way, accessing cloud services counts as remote access, so if CUI comes across this cloud service connection, it must meet the FIPS-validation requirement in order to comply with CMMC. You may consider a cloud-based secure file sharing service such as Cocoon Data.
The third control, 3.1.14, requires all remote access sessions to be routed properly. The most efficient way for small businesses to achieve this is to route all remote traffic through their gateway firewall device, and to disallow workstation to workstation connections, such as those available through Google Chrome Remote Desktop. This will add another layer of defense by ensuring that only legitimate and approved remote access sessions are allowed to be established.
The fourth control, 3.5.3, requires multi-factor authentication be put in place for all network-based access to CUI. Remote access by definition is network-based, so MFA is required for remote access. MFA is an extremely powerful technology; so much so that it even made our Totem Top 10. MFA also is required by Control 3.7.5, as your IT staff and MSP must use MFA when attempting to perform remote maintenance.
The final control, 3.13.7, requires that remote access sessions prevent split tunneling when a VPN is in use. VPN split tunneling is the process of simultaneously connecting through the VPN interface and separately connecting to the “dirty” public internet; the traffic that you want protected is encrypted by the VPN, and the traffic that you aren’t worried about gets to travel through the public internet. Typically, this is seen as an attractive option because it poses a (albeit false) sense of security while maintaining desired internet speeds. However, the risk of CUI passing through the unencrypted “dirty” connection and falling into the hands of an adversary is too great; so much so that NIST 800-171 forbids it entirely. You will want to ensure that your VPN client prevents the use of split tunneling, and that all traffic from remote workers is protected using FIPS-validated encryption if CUI is being shared. Most modern VPN clients are configured by default to prevent split tunneling.
Is remote work worth the effort?
This is certainly the golden question, and what you may find yourself asking this far into the blog. The overwhelming nature of CMMC has led many DoD contractors (us included) to wonder if it is even worth continuing to do business with the Federal government – much less worth it to adequately secure our remote work environment. The fact is that implementing these NIST 800-171 safeguards takes time – a long time – and it’s expensive. Hiring an MSP for day-to-day IT support, paying an MSSP to monitor all of your event logs and network traffic, finding hardware that supports FIPS-validated encryption… it adds up quickly.
The question of “is remote work worth it?” ultimately falls to your business leaders. If the benefits of implementing these safeguards and continuing to do business with the Federal government outweighs the costs of compliance, then it is worth it. The important part here is that CUI is being kept out of the hands of our adversaries. If you are confident that you can meet this objective according to the safeguards laid out in this blog, then remote work can remain part of your business plan. However, you must understand that it is likely going to take considerable effort to get ready by the time the CMMC assessors roll around.
If you are feeling uncomfortable with the prospect of having to spend more time and money securing a remote work environment to get ready for CMMC, perhaps you consider getting rid of it and moving to a controlled on-site environment. This is a perfectly reasonable consideration, and we have wondered if it is worth it for us as well. We have found that reducing the scope of what we need to secure drastically reduces our compliance headache, and it even saves us a few bucks along the way. We have already begun acting on this, such as removing corporate Wi-Fi entirely. Turns out, we didn’t need it like we thought we would!
We understand that the last couple years have significantly changed the ways in which we work, but, unfortunately, it has not changed our adversaries’ desire to steal our sensitive information. This blog addresses this fact by describing considerations for including remote work in a CMMC-compliant cybersecurity program. Overlooking these requirements and failing to safeguard CUI in your remote work environment will no-doubt lead to a CMMC assessment failure. We recommend that you walk through each requirement that we have listed, assess how realistic it is to implement, then make a decision on how to proceed with remote work.
If you want to learn more about how remote work ties in with CMMC compliance, feel free to grab a seat in one of our Workshops, explore our free tools, or reach out to us. We would be happy to further share our experiences and pains as a fellow DIB member just trying to survive the CMMC requirements!
Keep fighting the good fight!
–Nathan Cross, Cybersecurity Engineer