How Should CMMC Impact Your Remote Work Policies?

By Zac Amos, Features Editor, ReHack

Cybersecurity Maturity Model Certification (CMMC) is another compliance framework defense industrial base (DIB) contractors can add to their toolkits to work for the Department of Defense (DoD).

Government contractors must look to the newest version of this framework to stay on top of security as new working habits and conditions expand outside of traditionally secure purviews. How will CMMC address the mobile working revolution for safety, especially for high-profile government jobs?

What Is CMMC, and How Do Contractors Achieve Compliance?

CMMC, previously known as the Defense Federal Acquisition Regulation Supplement (DFARS), is a comprehensive cybersecurity framework to ensure defense contractors’ skills, knowledge and trustworthiness. Companies and individuals bidding for government contracts must adhere to stay relevant in a highly competitive cyber landscape. Many people wonder if it leaves room for contractors to be remote — it does, but with extra stipulations.

Third-party assessors and self-evaluations analyze intimacy with government protocols and cybersecurity know-how. How can these entities protect government data, like controlled unclassified information (CUI) or federal contact info (FCI)? Do they know how to work with high-stakes, priceless data if a threat actor breaches defenses?

Achieving compliance requires navigating the three levels of qualification, undergoing interim assessments and third-party audits, and drafting a plan of action and milestones. There’s plenty to unpack before getting the seal of approval, but it ensures contractors earn trust and prove their commitment to digital protections.

How Does CMMC Impact Remote Work?

Previously, government contractors were in controlled environments with company-sponsored cybersecurity infrastructure. The rise of remote work expands an attack surface area beyond comprehension, so CMMC made guidelines for adapting to these lifestyles by looking at cloud computing and quality assurance while on the go. However, many remote work compliances circle the various facets of remote access.

Contractors must practice monitoring remote access points and connectivity. Remote access is a streamlined way to reach protected machines in safe venues, but the connection should be encrypted and secure to be foolproof. Networks permitting access must install additional verification measures like intrusion detection and cryptography and keep detailed reports to prove to auditors their permissions are minimal and recorded. It will help prevent cyberattacks primed for remote environments.

Apart from reigning in remote access, companies must also evaluate permissions. What can administrators do, and can they control more or less with remote sessions? Could they perform these tasks — maintenance or operational — on and off the network, or is connectivity required?

The varying work-from-home measures are specific to designated CMMC levels, so not all precautions are required if contractors don’t plan to advance to Level 3. These are all the specific controls to access CUI that remote contractors should pay special attention to, among others:

• 1.12
• 1.13
• 1.14
• 10.6
• 13.7
• 5.3

For example, not all levels require two-factor authentication, but only 57% of organizations used these authentication tools in 2019. Their effectiveness is sound, so why not incorporate it into remote work procedures?

How Can Companies Make Remote Policies Compliant?

One of the best ways to achieve compliance is by incorporating secure tools. These are a powerful start in outfitting remote contractors:

• Multifactor authentication (MFA) software
• Hardware-based virtual private networks (VPNs)
• Tokenization
• External device connection indicators, like for microphones

More advanced operations could further restrict access by collecting data on contractor activity. Companies can set alerts for when irregular access locations occur or contractors log in at erratic hours. It can also monitor if non-company-approved devices seek access.

Contractors can also reference NIST 800-171 to bolster remote compliance. It’s the backbone of CMMC, and every cybersecurity framework, local or remote, can benefit from reviewing what it offers.

Another less formal way of ensuring workers achieve CMMC compliance for remote desks is to assert professional conduct. Working from home has its perks, like more lax dress codes, but the change in mindset shouldn’t detract from attentiveness and security. Companies hiring contractors can set clear expectations with them on how to maintain productivity and awareness despite working in less-than-traditional settings.

Stretching Compliance Beyond Office Doors

CMMC is preparing contractors for the next phase of the remote work revolution. The space for threat actors to nudge into sensitive areas increased to potentially every geographic point on the planet. Compliances are the touchstones for solidifying a safe digital workplace.

The resources to forge safe spaces for government data are here, and protective digital tools and assets improve daily. The revision of CMMC shows it is willing to adapt to new work environments and global change, so contractors should stay on top of updates at all costs.

About the Author

Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.