A study recently shared with Ignyte posed a question that has been and is currently on many minds.
How are organizations that have to adhere to CMMC level 2 handling personal devices? In other words, how do various device policies such as bring your own device (BYOD), choose your own device (CYOD), company owned personally enabled (COPE), and company owned business only (COBO) work with CMMC requirements.
We saw responses that range from the concerning (e.g., “it’s just email”) to the complicated (e.g., “fully managed devices with VPN and MFA requirements”).
While it is true that the technical considerations of this problem are important and deserve careful thought, the actual problem that many organizations run into is not a technical one. There are plenty of ways to technically facilitate secure and appropriate access to controlled unclassified information (CUI) on a personally owned device, some of which we’ll cover in a bit.
The actual problem here is organizational in nature, and, more specifically, based in legitimate employee privacy, autonomy, and trust concerns. That is, why should an employee who pays for their own phone and service allow the company they work for unfettered access to their device?
One study respondent said, “…I’m getting a lot of push back…” when discussing this subject with their company which is not a unique situation for management to be in regarding this issue.
Interpretation and guidance
However, every organization is unique and has a different risk management approach. What is appropriate and effective for one may not hold for another. Mobile device policy within the context of CMMC is an area that doesn’t have a black and white answer.
In the spirit of transparency, there are other assessment criteria intricately tied to this discussion, but for the purposes of this post, we’ll focus on two areas (controls). The first is AC.L2-3.1.18 – Mobile Device Connection, and the second is AC.L2-3.1.19 – Encrypt CUI on Mobile.
As of this writing, this is what the most current CMMC level 2 assessment guide has to say about assessing mobile device connections: “mobile devices that process, store, or transmit CUI are identified; mobile device connections are authorized; and mobile device connections are monitored and logged.”
And this is what the same document has to say about CUI encryption on mobile devices: “mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and encryption is employed to protect CUI on identified mobile devices and mobile computing platforms, to include smartphones, tablets, and e-readers.”
The layperson version of that is companies have to identify (i.e., device specific, consistent tagging), authorize, monitor, log, and encrypt all mobile devices that handle CUI.
Can your organization effectively perform these activities for your employee’s personal devices?
Possible technical solutions
The technical solutions offered by the study respondents are as follows:
- A fully managed personal device with mobile device management software (MDM) and native mail apps;
- Browser based access from any device (outlook web app; OWA) with multi factor authentication (MFA);
- A personal device with a company provided and managed virtual private network (VPN); and
- A fully managed company owned device with an endpoint solution.
There are likely many more options to technically solve this problem. However, the two main considerations that impact which solution a company chooses are its financial means and its employee’s concerns.
For example, if the organization has an employee population that is likely to push back on company access to personal devices and the organization has the financial means to purchase and maintain enough devices to cover those users that need remote access to CUI (or are likely to have access to CUI), solution 4 is the best bet.
An organization whose employees have no such issues or is unable to shoulder the financial burdens of issuing mobile devices, is free to explore other options so long as they meet the requirements and expectations of CMMC level 2.
Larger organizational issues
As we’ve already said, the larger issue here is an organizational one. If you have employees that adopt the “it’s just email” attitude, then your security awareness and compliance training is failing and must be addressed.
Likewise, employees who agree with the sentiment “no one is emailing CUI” should raise some significant red flags that warrant deeper questioning and assessment. One respondent offered these questions regarding this very topic, “What mechanisms do you have in place to ensure this is the case? At a minimum is there a policy that tells you not to? Do you have keyword scanners in place to stop these emails?”
Ultimately, we can’t tell you in this post the exact mobile device policy you should adopt to comply with CMMC level 2. What we can tell you is that you will need one. And when the time comes to figure out the best way forward, Ignyte will be here to guide you.
Call to action
Ignyte helps organizations comply with the complex requirements of CMMC while protecting critical assets and government information. Talk to us today about how the Ignyte Assurance Platform can turn complicated decisions into simple ones.