User laptops and mobile devices can present a difficult challenge to contractors subject to CMMC requirements. Managing those devices to meet asset management, vulnerability management, security monitoring, FIPS-validated encryption, and other compliance requirements can be technically challenging and expensive. One approach to consider is removing user endpoints from the scope of the CUI Boundary or otherwise lessen the requirements that apply to those devices. This can be achieved by implementing a virtual desktop architecture that keeps CUI off the user endpoints and therefore changes how user endpoints impact the scope or system boundary relevant to CMMC requirements. By making CUI less accessible to user endpoints, the security requirements that are applicable to those devices can be dramatically reduced or eliminated entirely.
A properly implemented virtual desktop infrastructure (VDI) can allow laptops and mobile devices to be treated as out-of-scope or customer risk-managed assets, depending on how restrictive controls are to limit virtual desktop access to local resources (e.g., clipboard, file system, printer, etc.). According to the CMMC v2.0 scoping guidance, assets that cannot handle CUI are completely out of scope for CMMC purposes. Assets (including laptops and mobile devices) that can but are not intended to handle CUI can be managed according to risk-based security policies defined by the contractor. These “Contractor Risk-managed Assets” (CRMA) do not need to comply with the full set of CMMC control requirements. Instead, contractors are only required to document the CRMAs (e.g., in the system inventory, in the system diagrams, and the system security plan) and the risk-based policies and procedures that are used to manage those assets. Of course, contractors must also manage the CRMAs according to those risk-based policies.
Additional information about the advantages of VDI to help narrow the CMMC system boundary, refer to SecureIT’s blog on “VDI for CUI.”