Level 5 CMMC - CMMC Practices

SC.2.178  

Reference: CMMC 1.02

Family: SC

Level Introduced: 2

Practice:
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

CMMC Clarification:
You should configure collaborative computing devices so they cannot be activated remotely. Examples of such devices are cameras, microphones, etc. All users should receive a notification when a collaborative computing device is in use. Notification can include an indicator light that turns on when in use, or a specific text window that appears on screen. If a device does not have the means to alert a user when in use, the organization should provide manual means. Manual means can include, as necessary:
• paper notification on entryways; and
• locking entryways when a collaborative computing device is in use.

Example
You are responsible for IT operations in your organization. Your organization has a group of remote employees who collaborate using cameras and microphones attached to their computers. You want to prevent the misuse of these devices. You disable the ability to turn on cameras or microphones remotely on all devices. You also use a tool to alert users when their cameras or microphones are turned on. Although remote activation is blocked, this enables them to see if the devices were activated remotely. By doing this, you reduce the likelihood of someone being able to turn these devices on and listen or view what your employees are working on.

3.13.12

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

Discussion:
Collaborative computing devices include networked white boards, cameras, and microphones. Indication of use includes signals to users when collaborative computing devices are activated. Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

*Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

Source: NIST Special Publication 800-171 Rev. 2

SC-15

COLLABORATIVE COMPUTING DEVICES

Description:
The information system:
    a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
    b. Provides an explicit indication of use to users physically present at the devices.

Supplemental Guidance:
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02