The Department of Defense (DOD) created the Cybersecurity Maturity Model Certification (CMMC) program in 2020. The program safeguards Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from cybersecurity threats. All defense industrial base (DIB) contractors must comply with the most recent CMMC 2.0 requirements by 2026.
In recent years, many contractors have been unsure how to approach CMMC requirements with remote employees who access CUI and FCI from an alternate location. The good news is that DIB contractors can still be CMMC-compliant and work remotely.
In this guide, you’ll learn what the CMMC remote access requirements are and how to determine whether remote work is viable for your DIB business.
If remote employees work with sensitive materials, you must ensure their environment, equipment, and processes meet the remote access CMMC requirements. The CMMC framework is split into 14 domains, each with a set of practices DIB contractors must implement.
The practice titles have identification numbers in the format “DD.L#-REQ”:
The CMMC practices related to remote access include:
The AC.L2-3.1.12 practice within the Access Control (AC) domain requires organizations to monitor and control remote access over the internet. Only authorized users and devices can connect to your business’s network remotely, and all remote communication must take place over an encrypted channel to ensure data confidentiality. You must then monitor and record who is accessing the network remotely and what files they access in real time.
The AC.L2-3.1.13 practice requires remote sessions to use cryptographic mechanisms to protect the confidentiality of CUI. Your chosen cryptographic mechanism must comply with the SC.L2-3.13.11 requirements for CUI encryption. The standard is to use cryptographic modules validated by the Federal Information Processing Standard for any session that involves CUI access.
The AC.L2-3.1.14 practice requires you to route all remote connections through a controlled access point. Routing connections through a limited number of controlled points makes monitoring sessions easier and ensures no unauthorized access. Your business can route all traffic through a virtual private network (VPN) or gateway firewall device to comply with this requirement.
The AC.L2-3.1.15 practice requires authorizing someone to execute privileged commands and access security-relevant information remotely. A privileged command can affect the system’s security functions, and security-relevant information is any data in the system that could affect its security features and services. You must create policies about what staff can access remotely and what they need to be on business premises for.
The IA.L2-3.5.3 practice within the Identification and Authentication (IA) domain mandates multifactor authentication (MFA) for remote access to CUI. MFA involves two or more authentication methods, which can be passwords, personal identification numbers, biometrics, cryptographic identification devices, or hardware authenticators.
The IA.L2-3.5.4 practice requires authentication methods to be replay-resistant, meaning someone cannot record and use them to gain unauthorized access. An example of a replay-resistant method is a cryptographic nonce — meaning “number used once” — that is a randomly generated, one-time-use token.
The MA.L2-3.7.5 practice within the Maintenance (MA) domain necessitates MFA for nonlocal maintenance and diagnostic activities. Remote access through an external network counts as nonlocal activity. You must also terminate the connection as soon as the maintenance is complete.
The PE.L2-3.10.6 practice within the Physical Protection (PE) domain requires employees who work from an alternate worksite to implement safeguarding measures for CUI. An alternate worksite can be an external government facility or the employee’s private residence. Your remote employees must ensure they’re using the same level of protection for CUI as they would in the office.
The SC.L2-3.13.7 practice within the System and Communications Protection (SC) domain requires the prevention of split tunneling in remote connections. You may encounter split tunneling while using VPNs for CMMC compliance. Split tunneling happens when a remote device — like a laptop or phone — uses a VPN to connect to your business’s internal network while also connecting with external networks, like the internet. You can turn off split tunneling in the VPN’s settings.
The SC.L2-3.13.12 practice requires preventing remote activation for collaborative computing devices like whiteboards, cameras, or microphones. Collaborative devices must also alert users when they activate through indicator lights or onscreen notifications. Both of these precautions prevent the misuse of these devices by external parties.
With the extra CMMC practices for remote access, you may wonder if allowing your employees to work remotely is worth it. After all, these practices require systems, hardware, and processes that take time and money to implement. To determine if you can allow remote work for DOD contracts, you will need to weigh the pros and cons. If doing business with the DOD is worth more than the cost and effort of securing a remote environment, it’s likely worthwhile. Keep in mind CMMC is setting the minimum requirements for handling of CUI. A DOD contract can levy more stringent requirements such as not allowing remote work when handling CUI and requiring that work to be performed on site and your organization will need to closely monitor DOD contract wording for specific CUI requirements.
If you decide to go ahead with remote work, the best approach is to partner with a qualified CMMC consultant or a Certified Third Party Assessment Organization (C3PAO). They can conduct a gap analysis to evaluate your current security controls and develop a plan to address any security gaps.
Business Transformation Institute, Inc. (BTI) has the expertise and experience to support you through your CMMC compliance journey. We’re an authorized C3PAO with qualified team members authorized to conduct business at the highest levels of government information sensitivity. We have real-world experience with CMMC implementation, and some of our team members even helped develop the CMMC itself.
We know how challenging CMMC requirements can be, especially with hybrid or remote workers. That’s why we’ll meet you where you are and help you make well-informed, strategic decisions that work for your business. We can help you through any stage of the CMMC certification process, whether you need CMMC consulting, training, or assessment services.
Beyond compliance, CMMC requirements will help your business protect its sensitive data from cybercriminals. You’ll be prepared for any security challenges and can win the trust of your staff and customers. At BTI, we can help you achieve CMMC compliance and optimize your business’s processes and performance.
Transform your business by contacting BTI today.