How to Handle CMMC Scoping for Remote Employees
CMMC mandates that companies working as part of the government supply line need to comply with a level of security determined by their handling of controlled information. Identifying the level of compliance necessary for your business is the first step in achieving that compliance.
The second step is scoping.
All About Scoping for CMMC
What is scoping? Scoping is the process of analyzing your business from top to bottom, inside and out. With this process, you identify all of the systems, devices, channels, and people who have access to CUI and other covered data.
You essentially draw a boundary. Anything inside the boundary needs to comply with CMMC security controls at your assessed level. Anything outside the boundary doesn’t need to.
CMMC is focused on protecting Controlled Unclassified Information. Anything that touches CUI needs to be secured. Scoping is an incredibly important aspect of figuring out what does and doesn’t need to be secured, both so you can ensure that your security is fully implemented and so you can avoid putting in a lot of work to secure systems that don’t actually need it.
The DoD even offers scoping guides to help businesses figure out what their scope is.
Scoping is incredibly important, but it gets even more complicated if your business is not self-contained. So, how do you handle scoping when remote workers are involved?
In a quick survey done last year, Lead Auditor Tara Lemieux asked her audience this question:
Are personal residences in scope for a CMMC assessment if employees access CUI from home?
The answers varied. 63% of people said it depends, 23% said yes, and 13% said “nope – not without a warrant.”
It’s an interesting question to consider. CMMC has strict rules for security over the systems CUI touches. But those also butt up against privacy protections; can CMMC mandate that an individual’s private residence comply if they work from home?
The Question at the Core of the Problem
Before we go digging deeper into the analysis of CMMC for remote work, it’s worth stepping back and asking: is remote work even allowed under CMMC? After all, if CMMC simply forbids remote work entirely or makes it so intrusive as to be infeasible, it’s a moot point.
Fortunately – or unfortunately, depending on who has a sudden burden of extra work to consider – CMMC does allow for remote work. In fact, there’s even a specific provision within CMMC for it: Control PE.L2-3.10.6: Alternative Work Sites. We’ll get deeper into that later.
Of course, since it’s an extra burden to put remote work into scope for CMMC, there are certainly many businesses that strive to avoid it. If you ensure that your remote workers never interact with CUI or have access to CUI-containing systems, then you don’t have to worry at all about their environments being secure.
A business that applies for and complies with CMMC can have remote workers for some of their work without worrying about their security, as long as those workers are segmented away from controlled systems.
Examining the Complexities of Remote Work Scoping
At the root of it, scoping is a simple question to answer. If a device, network, or system handles, transmits, stores, or uses CUI, it needs to be within scope and thus secured at the appropriate level.
So, if a remote employee handles CUI as part of their job, their system needs to be secured, right?
Well, not necessarily. What if they use a virtual environment? What if they’re using a VPN to access the company’s systems, so their system isn’t actually touching any of the CUI they work with? Is that enough to consider their client out of scope, or does the fact that the CUI could be viewed over their shoulder mean they’re in scope?
The truth is that scoping for remote workers can be surprisingly complex. Unfortunately for those remote workers and the companies that hire them, they are often within scope when you get right down to it.
In her post, Tara shares a hypothetical that shows how this can vary depending on a few factors.
“Consider a scenario where an employee works from a home office, using both company-issued and personal devices. Is the entire home network in scope? To determine this, one would need to evaluate where CUI is stored or accessed and how it is transmitted across the network. If the company-issued device has adequate security measures like a VPN and encryption, and CUI is never accessed through personal devices, only the company-issued device might be in scope. However, if personal devices access CUI or are connected to the same network as the company-issued device without adequate segmentation, then the scope could widen to include those devices and potentially the entire network.”
So the question becomes, how do you figure this all out?
What Are the Main Concerns with Remote Work?
Remote workers are just like any other workers as far as CMMC is concerned; if they touch CUI, they need to be beholden to the rules. Remote work offers many benefits to both companies and employees but also unique challenges for security frameworks like CMMC.
Privacy is a big concern. Employees certainly have rights to their own privacy, but at the same time, if they’re interacting with CUI, they need to be under scrutiny, logging, and monitoring. There’s a boundary here, but that boundary needs to be intentionally established; it can’t just be assumed.
The private devices a worker uses are out of scope as long as there’s a firm dividing line between them and the work devices they use to handle CUI. But, if a worker ever decides to log into a work server from a personal device, suddenly, that personal device needs to be within scope.
Security concerns are prominent as well. Any device within scope needs to be adequately secured, and that can mean mandated software, logging, tracking, and security settings in place. Once again, if a remote worker uses a personal device to access CUI systems, that device is in scope. That means everything, from their passwords to their encryption, needs to comply with CMMC rules.
Even physical security becomes important in this case. Sensitive documents, work devices, and a home office space all need to remain locked and physically secure. Even something as simple as the arrangement and visibility of screens can be a factor. No shoulder surfing allowed!
The Process of Adequate Scoping for Remote Workers
The process of scoping for CMMC involves a five-step approach that examines different facets of a business and identifies how they interact with CUI.
Asset Identification. Any company looking to achieve CMMC certification needs to identify, catalog, and track all of the assets within their systems that touch CUI. This includes physical devices like computers and phones, software, data repositories, accounts, and other individual items that can be listed as assets.
Data Flow Mapping. The key to adequate scoping is proper mapping of the flow of CUI. Figure out where the CUI goes, from the moment it enters your ecosystem from the source above you to the moment it moves on or is destroyed. What devices does it touch? What channels does it use to move from point to point? What software touches it? What accounts handle it directly? What other accounts have access to the systems or software the CUI is on, whether or not it’s in their job description to touch it? A complete map of wherever CUI goes – and where it could go – is required to see what is and isn’t in scope.
Risk Assessments. A good risk assessment determines what potential threats exist to all of your assets and data flows, as well as the potential consequences for breaches and the ability to respond to and contain them. In fact, failing to conduct appropriate risk assessments is one of the main reasons why businesses fail their CMMC audits.
Proper Segmentation. Through careful use of strong segmentation, you can isolate CUI on different systems and services to help minimize your potential scope. The less you need to keep secure, the more easily you can keep track of all of it. The smaller your threat surface, the less vulnerable you are to attack. Segmentation is key to secure remote work, so you’ll want to focus on this area.
Training and Enforcement. The human factor is always, and forever will be, one of the most susceptible to threats. It’s why there’s a lot more risk of phishing and social engineering than there are technical breaches or broken encryption these days. People are the weak link. When it comes to remote workers, they must be properly trained and follow the rules to ensure proper protection of the CUI they handle.
How to Ensure Properly Secured Remote Environments
If you want to employ remote workers for roles that involve accessing and handling CUI, you’re certainly able to do so, but you have to make sure to draw firm lines in the sand.
The most important thing to do is draw boundaries and limit access as much as possible. Practice the principle of least access and ensure your remote workers can touch only the bare minimum necessary to do their jobs.
Many companies securing CUI for remote work make use of VPN and virtual desktop environments such that CUI never actually leaves their own systems. Remote workers have to dial into the company’s systems to access it, and all operations still take place on the company devices. The data never actually reaches their personal devices or home network.
If this isn’t possible, remote workers can still take specific steps to help maintain security as necessary. This can include steps such as:
- Ensuring all internet-connected devices at home have their default access accounts changed.
- Making sure devices such as routers and modems have their firmware kept up to date.
- Disabling or removing devices when they aren’t in use.
- Maintaining adequate security and firewalls on systems.
To limit the scope, you may even encourage your remote workers to establish a second network used solely for work. Their home network, isolated from the work network, doesn’t need to follow the rules. The work network, used only for work devices and purposes, is easier to secure when very little is connected to it.
Physical security also needs to be in place if CUI is ever physically present in the remote worker’s environment. If they print off CUI on paper, they need lockable, secure locations to keep it, for example.
One of the biggest hurdles for remote workers when privacy comes up is the risk of audit and assessment. Will a CMMC assessor need to come to the employee’s home to validate their security?
They could. It’s within their rights to do so if that worker’s home is in scope. However, it’s not generally going to happen. Assessors can use other methods, like technological validation and personnel interviews, to validate that security. When remote workers can be half a country away from the company headquarters, assessors don’t want to make that trip either.
Maintaining the proper security posture and limited scope for remote workers is possible and done all the time within the broader CMMC ecosystem. Yes, it’s more work than not having remote workers or not having in-scope remote workers. Sometimes, though, the benefits of those employees outweigh the added burden of keeping their systems limited and secure. When it comes right down to it, that’s the decision you have to make.
At Ignyte, we can help. The Ignyte Assurance Platform was designed to help you keep track of the scope, assets, and other details of your compliance as you build it. It’s secure, it’s collaborative, and it’s not siloed away where it becomes a roadblock rather than an assistant. Request your demo and see what it can do for you.
Further, if you have any additional questions about CMMC where remote workers are involved, feel free to ask. Our experts have deep experience with all manner of government security, including CMMC, and we’ve been here as it’s being developed. We’d love to lend you a hand.
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-scoping-remote-employees/
