Beat the Toughest CMMC Level 3 Requirements: Mobile Device Management
Many SMB suppliers to the US Department of Defense (DoD) face a significant effort to get ready for their upcoming Cybersecurity Maturity Model Certification (CMMC) compliance audit. But with over 130 interrelated controls to evaluate at CMMC Level 3, knowing where to start and what to focus on is crucial.
To help SMBs across the US Defense Industrial Base (DIB) prepare for CMMC Level 3, John Verry, Pivot Point Security’s CISO and Managing Partner, recorded a special episode of The Virtual CISO Podcast on the six biggest challenges most SMBs will face on the road to CMMC Level 3 compliance — and how to solve them.
This blog post covers mobile device management. Be sure to check out the posts devoted to the other “gotchas.”:
- Mobile Device Management
- Multifactor Authentication
- End-to-End Encryption
- Email Spam Protection and Sandboxing
- Logging and Alerting
How to Beat CMMC Level 3’s Mobile Device Management Requirements
There are several controls within the CMMC’s Access Control practice at Level 3 that relate to managing mobile devices. These include AC.3.020, “Control connection of mobile devices” And AC.3.022, “Encrypt CUI on mobile devices and mobile computing platforms.”
According to John, the key idea to keep in mind with CMMC Level 3 controls is your obligation to maintain the confidentiality of Controlled Unclassified Information (CUI) throughout its lifecycle. So with mobile devices like phones, tablets and laptops, the goal is to make sure any CUI stored on or accessed by these devices is maintained in a FIPS-compliant, encrypted state.
“The easiest way to think about that, if you’re going to have a lot of mobile devices, is to move towards a mobile device management (MDM) solution,” John advises. Companies using Microsoft 365, for example, can potentially leverage Microsoft’s cloud-based (and free) Intune solution to control and encrypt CUI on mobile devices, as well as automatically delete CUI from lost/stolen devices.
A further benefit of Intune and similar MDM tools is the ability to enforce minimal configuration baselines before allowing a mobile device to connect to a network or application. This capability can help you meet CMMC’s configuration management requirements.
Training users on MDM can also present problems. “Nobody likes to put in multi-factors for authentication,” John acknowledges. But experience shows that users quickly get accustomed to it, especially when they understand that the company’s financial wellbeing… and hence their jobs… could depend on it.
“The answer to managing user expectations has a lot to do with what we refer to as ‘tone at the top,’” notes John. “As you’re making changes to move to CMMC… it’s definitely going to impact users. When you’re making these changes, it’s important to communicate why you’re making them. … This is the way the world is going.”
Making passwords, logins, etc. as simple as possible; e.g., by teaming MDM with a password management tool like LastPass, can certainly help as well.
If there is a CMMC audit in your company’s future, you don’t want to miss this special episode of The Virtual CISO Podcast with CMMC expert John Verry.
To hear this episode in its entirety, and many others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.