Archon Secure Blog

How CMMC Requirements Apply to Remote Work

Written by Archon Secure Team | Apr 1, 2020 12:56:00 PM

Despite the disruption caused by the COVID-19 pandemic, the US Department of Defense is moving ahead with its push to ensure Defense Industrial Base (DIB) contractors have implemented strong cybersecurity programs through the Cybersecurity Maturity Model Certification (CMMC).

The CMMC Framework, which was first announced in January 2020, requires that defense contractors be CMMC certified by approved, third-party auditors before they are eligible to bid on new DoD contracts. 

 

🔎 Related Articles: Archon Secure Use Case

 

With new contracts containing CMMC requirements originally slated to roll out in June of 2020, many defense contractors were already preparing to undergo the CMMC certification process. The sudden shift to remote work in response to COVID-19 has prompted many to look closely at the cybersecurity requirements of CMMC specifically as they relate to the remote work use case. 

 

During Archon's COVID-19 Immediate Secure Remote Work Response Virtual Summit, which took place in March 2020, Scott Edwards of Summit7 Systems, addressed exactly this topic, with a specific focus on what it will take for companies to go from Level 1 CMMC Certification to Level 3.

 

Continue reading for our summary. 

 

 

CMMC Schedule

When do you need to be prepared to have CMMC certification as a DIB organization? Here are some important timelines for all organizations to be aware of.

 

April/March 2020: CMMC 1.02 is currently released. You can review up-to-date documentation on the CMMC website. An accreditation board has already been established and is working on finalizing the process for accrediting and certifying organizations.

 

June/July 2020: In accordance with DoD's plans to roll out the CMMC program in stages, a series of pathfinder projects will be launched before the full-scale implementation of CMMC. The Office of the Under Secretary of Defense for Acquisition and Sustainment plans on undertaking ten Pathfinder projects through which to test the certification process, with the first starting in June or July of 2020.

 

July/August 2020: You can expect the first CMMC audits to begin, focused on the initial Pathfinder projects.

 

October 2020: You can expect to see the first RFPs which will require CMMC certification begin to be released to the wider DIB.

 

CMMC Basics

CMMC outlines five different levels of compliance, all of which require auditing and certification by a third party:

  • CMMC Level 1: This level is for organizations that have no access to Controlled Unclassified Information (CUI). CMMC level 1 includes the same requirements that have been present in FAR-52 for about 5 years now and will apply to the vast majority (~85%) of DIBs. 
  • CMMC Level 2: Level 2 is more of a transitory step between Levels 1 and 3. It is meant for organizations looking to get to level 3, but provides a stepping stone. You won’t see many, if any, contracts explicitly calling for Level 2.
  • CMMC Level 3: This will be the most common level called for in contracts and applies to organizations that are required to ensure the full protection of CUI.
  • CMMC Levels 4 & 5: There will be some contracts at these levels, but far fewer than at level 3. Levels 4 and 5 are meant for extremely sensitive applications like Naval nuclear propulsion systems and Missile Defense Agency efforts.

In addition to the basic levels of compliance, CMMC is structured into domains, processes, capabilities, and practices.

 

There are 17 domains, each consisting of specific capabilities - or goals - to ensure security within the domain. Capabilities then break down into both practices and processes which are required to achieve said capability. 

 

There are a total of 85 processes across all 17 domains. Each of the processes is labeled for a specific level of CMMC compliance.

For instance, 51 of the 85 total processes apply at Level 3, while all 85 processes apply at Level 5.

 

CMMC Requirements Relating to Remote Work

CMMC covers a wide range of cybersecurity issues, but there are 10 major practices that are focused specifically on remote work security.

More details on these, as well as how they relate to remote work security, are outlined below.

 

AC.2.013: Monitor and control remote access.

Practice basics:

  • Required at Level 2 and above
  • Lives within the Access Control Domain

This practice requires that all remote access to the network be monitored and controlled and is executed over an encrypted channel. You must control who is accessing the network remotely using tools like intrusion detection systems (IDS), and have complete monitoring in place. 

 

You must also keep full audit logs and detail conditional access policies through a VPN or cloud-based service, like Office 365 for instance.

 

AC.2.015: Route remote access through monitored access control points.

 

Practice basics:

  • Required at Level 2 and above
  • Lives within the Access Control Domain

This practice requires that all of your servers live within a monitored and controlled environment, with no access from the open internet. All remote connections to those servers must be routed through a controlled access point.

 

This is achieved through the use of a VPN, and all of the connections that flow through it must be auditable so that you can see what content is flowing across the connections and who is accessing it.

 

AC.3.014: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

 

Practice basics:

  • Required at Level 3 and above
  • Lives within the Access Control Domain

This practice requires that any VPN solution for remote access use FIPS validated cryptography. This includes the use of TLS 1.2, SSHv2, AES, Triple-DES and DSA.

 

AC.3.021: Authorize remote execution of privileged commands and remote access security-relevant information.

Practice basics:

  • Required at Level 3 and above
  • Lives within the Access Control Domain

This practice applies specifically to your administrative staff and requires organizations to strictly control what system administrators can do remotely. You will need to have a set of policies determining which settings they are allowed to adjust remotely, and which require them to physically be on the network.

 

AC.4.032: Restrict remote access based on organizationally defined risk factors.

 

Practice basics:

  • Required at Level 4 and above
  • Lives within the Access Control Domain

This particular practice, being more advanced, requires organizations to set policies on a combination of factors about the device or user accessing the system remotely.

There are certain risk factors that can indicate concerning activity. Some examples include:

  • Time of day: An end-user accessing information out of working hours may be disallowed.
  • Location of access: You may choose to block access from outside of the country for instance.
  • Policy settings on end-user devices: You may choose not to allow a device that doesn’t have certain security policies to access the network.

This practice requires that organizations have a policy for allowing or disallowing access based on the risk factors, or a combination of those factors, outlined above.

 

IA.3.083: Multifactor authentication for local and network access to privileged accounts and network access to a non-privileged account.

 

Practice basics:

  • Required at Level 3 and above
  • Lives within the Identification & Authentication Domain

This practice requires that any remote access be achieved through multi-factor authentication.

 

IA.3.084: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

 

Practice basics:

  • Required at Level 3 and above
  • Lives within the Identification & Authentication Domain

This practice is required to help prevent man-in-the-middle and replay attacks. It requires organizations to use methods to prevent information from being stolen and used at a future time. Common methods for this include using tokens, one-time passcodes and certificates. Hardware-based VPNs are especially useful in this endeavor.

 

MA.2.113: Require multi-factor authentication to establish maintenance sessions via external network connections and terminate connections when complete.

 

Practice basics:

  • Required at Level 2 and above
  • Lives within the Maintenance Domain

This practice requires that any maintenance work done on the network from a remote location be executed through a connection that uses multi-factor authentication.

 

SC.2.178: Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to the users present at the device.

 

Practice basics:

  • Required at Level 2 and above
  • Lives within the Systems and Communications Protection Domain

This practice requires that devices, such as cameras and microphones, that are within the controlled network be protected from remote access.

For instance, someone should not be able to connect to the network remotely and turn on a camera or microphone in a conference room to listen in.

To comply with this requirement, you’ll need to put protections in place on the devices themselves, and have clear indicators of when those devices are on or off.

 

SC.3.184: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources on external networks.

 

Practice basics:

  • Required at Level 3 and above
  • Lives within the Systems and Communications Protection Domain

This practice requires that any end-user devices connected to the internal network through a VPN can only send traffic through that VPN. You cannot have an end-user device that is sending traffic both over the VPN and the open internet. Hardware-based VPNs are a great way to easily achieve this.

 

Final Thoughts

While CMMC may not be required with DoD contracts today, you can see from the schedule above that it is rapidly approaching.

 

With our current environment, and the increased need to work remotely, it is incredibly important that organizations that are currently doing business with the Department of Defense, or plan to in the future, take steps today to ensure that they will be ready for their first CMMC audit.