Blog

CMMC Blog: Cybersecurity for remote access teams, under CMMC/DFARS framework

Posted by: Scott Armstrong September 01, 2020 Category

Learn about how you can remain cybersecure with a remote workforce. We leverage CMMC/DFARS to discuss remote access and control.

The world has changed. Is your organization ready to face the new reality?

Remember when you’d wake up at 5am to hit the gym, and then get on the road by 8am to ensure you’re at the office before your meeting? Seems like it’s been years since we’ve engaged in some type of routine. For some organizations, COVID-19 and modern technology have shifted companies from the cubicle to the home office, and everywhere in between. Now, cybersecurity is a much bigger concern than ever before…especially for the Department of Defense. That’s why it’s crucial to have the proper controls in place to ensure Federal Classified Information (FCI) and Controlled Unclassified Information (CUI) are fully protected no matter where they’re accessed, and by who.

 

ENSURE REMOTE WORK IS SECURE

COVID-19 impacted the world almost immediately and left many organizations struggling to adapt and keep up with the sudden changes. While most organizations already had some sort of work-from-home policy in place that included VPNs and multi-factor authentication, these requirements are simply not secure enough for the Department of Defense.

Today’s remote access opportunities require top of the line cybersecurity. The Cybersecurity Maturity Model Certification (CMMC) programs are applicable to DoD contracts involving a contractor’s electronic storage of FCI and CUI. That means your contractors need to make sure wherever their data goes—whether it’s technical or non-public data—the appropriate cybersecurity requirements follow, and they always have access to a secure, remote workforce environment.

Contractors must review the requirements of NIST 800-171 Rev. 2 to ensure CUI and FCI are protected. It’s also incredibly important to reference the CMMC model documents in version 1.2, stay laser-focused on the NIST requirements and carry them over word for word into the CMMC.

 

WELL, WHAT’S YOUR REMOTE ACCESS POLICY?

According to Regan Edens, Director of the CMMC Accreditation Body, when you transition from a secure container in a protected workplace to an unstructured and unsecure offsite environment, there are many things to consider.

IT teams must authorize who’s been grated remote access, then monitor and control it through a remote access control policy. These policies provide the foundation for remote access and offer mobile device protection too. But how do you establish the foundation for a remote access policy? Keep reading to find out more.

 

HOME OFFICE & OFFSITE WORKSPACES

If you don’t have a way to access your work through a secure environment, what do you do? What if your home office doesn’t have the option of limited or restricted access? It’s imperative you apply all the secure requirements that are available to you in the office to your remote workspace, no matter where you are.

AUTHORIZED DEVICES

To monitor your network and those who’ve been granted remote access, make sure they’re using devices that are pre-approved, protected and meet the NIST requirements—and use the secure and encrypted VPN/VDI to access these virtual environments.

SECURE & ENCRYPTED VPN/VDI ACCESS

You need a secure network connection that’s provided by VPN/VDI access, and one that would be available from a centralized desktop environment.

AUTHORIZE, CONTROL & MONITOR ACCESS

You must establish governance, policies, and procedures to appropriately guide and oversee the organization, support your users, and enforce policies. Monitor your contractors to make sure they always remain honest and compliant. One major slip-up could be the difference between war and peace.

UNDERSTAND & PROTECT THE CONFIDENTIALITY OF CUI/FCI DATA

Understand your roles and responsibilities, including the safe-guarding requirements, to govern your day-to-day activities. If you don’t know what CUI/FCI is then how can you protect your customer’s data and the federal government’s data? And make sure your CUI/FCI is always properly marked so you know what’s controlled and classified.

INSTITUTE A CLEAN DESK POLICY

Make sure your data is always protected and safe-guarded in your remote space, just as you would if you were working in the office. This means when you leave your workspace, clean up your papers and make sure FCI/CUI data, information and documents have been inserted into a secure, locked space that only you can control.

PROPERLY DISPOSE & DESTRUCT CUI/FCI

Make sure you’ve got access to a shredder that meets requirements. Whether you keep the docs and then dispose them in the office shredder or you’ve got one at home, secure the physical data until it’s destroyed, and make sure the method of destruction meets the requirements that have been set by your organization’s policies, and modify the destruction policies to meet requirements.

PHYSICALLY PROTECT & RESTRICT ACCESS TO DATA AND YOUR ENVIRONMENT

If you’re working in a shared space environment, you must always maintain control and confidentiality and make sure no one else has access to your virtual and physical data. Monitor and keep control over your printer too.

Keep in mind, while you’re working from home, don’t let your family to accidentally pick up CUI data. Also, make sure the audio on your webinars, calls, and discussions are controlled and protected and all visual data—like information on a whiteboard—is protected too.

EXTERNAL HARD DRIVES

It’s imperative you protect your organization’s external hard drives, but please remember external hard drives that haven’t been issued by your organization should NEVER be used. Enforce policies to govern external hard drives, from what you’re authorized to use and how to safeguard the data, to what you can and cannot do with the hard drive.

INSTILL PROPER TRAINING FOR USERS

Bottom line: You users must be trained and monitored to make sure they know how to work securely in remote environments, and ensure they always do the right thing.

 

FINAL THOUGHTS

At the end of the day, it’s imperative you elect someone in your organization to be the subject matter expert. That way your users can check in with them to make sure they’re handling, securing, and sharing the data according to policies. The expert must always be aware of the requirements, and make sure they’re enforced and applied—including all explicit and implicit requirements—all the way down to the user level.

Data governance is all about protecting data. No matter who you are, if you need to access CUI/FCI data to provide products and services, you are individually responsible for protecting this data. This type of cybersecurity goes far beyond IT…this type of cybersecurity is in the hands of your employees. Be smart.

What’s next? Check out Exostar’s Policy Pro…it’s the only way to go. Save time and resources while you build and revise security policies in line with NIST 800-171 and CMMC directives. Policy Pro makes policy creation so easy, even a non-technical employee can handle it. Sign, sealed, delivered and secured!

Learn more