October 19, 2023

While PreVeil’s platform protects CUI in Email and Files, CUI inevitably also comes in touch with your workplace’s endpoints.. Indeed, CUI is frequently processed, stored and/or transmitted via these types of endpoint devices. Thus many NIST SP 800-171 security controls focus on endpoint protection.

Endpoints are physical devices—such as desktops, laptops and smartphones—that communicate back and forth with a computer network and allow users to get work done. Because they are also entry points to networks, endpoints are appealing to cybercriminals, who exploit endpoints’ vulnerability to gain access to networks.

Forensic analysis of a major breach of a Las Vegas casino’s financial data on its high-end rollers found that cybercriminals gained entry to the casino’s network via the IoT device that monitored the temperature of the water in the fish aquarium in the casino’s lobby.

This blog offers a straightforward CMMC compliance tool checklist to help you identify some of the endpoints you might need to protect your organization’s CUI. The checklist is is based on straightforward questions that flow directly from the NIST SP 800-171 controls focused on endpoint protection. It also offers possible technology solutions you may want to consider to achieve compliance.

Note, however, that the possible solutions presented here are offered to help you sort through the sometimes overwhelming marketplace—not as an endorsement of those solutions. Also, this is not a comprehensive checklist of what it takes to secure your organization’s endpoints, but rather it serves to demonstrates an effective approach to compliance.

Note too that NIST SP 800-171 and CMMC compliance will result from a mix of technologies, policies and procedures. Adopting a technology solution without appropriate policies and procedures to ensure that it’s working effectively will not lead your organization to NIST SP 800-171 compliance or CMMC certification.

CMMC Compliance Tool Checklist

The questions posed here flow directly from the NIST SP 800-171 security controls focused on endpoint protection. This format is designed to help your organization better understand the practical implications of the required controls, and take the necessary steps to meet them.

Does your organization have an Antivirus/Antimalware solution?
⇒Possible solutions – Microsoft Defender, Crowdstrike
Do all your organization’s endpoint devices have hard drive encryption that is FIPS 140-2 validated?
⇒Possible solutions – Bitlocker (Windows), FileVault (Mac)
Does your organization have a vulnerability scanning agent?
⇒Possible solutions – Microsoft Sentinel, SentinelOne
Does your organization have Multifactor Authentication (MFA) on its endpoint devices?
⇒Recommendations for solutions – Microsoft 365 MFA, Duo Federal
Does your organization have a log reporting solution, preferably a SIEM (a Security Information and Event Management tool), that can manage audit log correlations? Does your SIEM also have monitoring capabilities, for early threat detection?
⇒Possible solutions – Microsoft Sentinel, Splunk
Does your organization have a device management and tracking solution?
⇒Possible solutions – Microsoft Intune, Google Endpoint Management

NIST SP 800-171 compliance and CMMC certification

Defense contractors have been required to comply with NIST SP 800-171 since 2017, and CMMC is steadily working its way through the federal rule making process toward implementation. See timeline below.

Any organization with a DFARS 7012 clause in their contract will need to comply with NIST 800-171’s 110 security controls in order to properly protect the CUI they manage. Importantly, and as this blog shows, CUI exists in your email and files as well as your endpoints. Your organization needs to ensure it is taking the proper steps to secure these endpoints per the requirements of NIST 800-171.

To learn more

For more information on endpoint compliance solutions and other CMMC compliance tools:

Book a free 15-minute consultation with our compliance team
Access PreVeil University’s resources, including a 14-part video series covering each of the 14 NIST SP 800-171 control families. Contact PreVeil Sales for more details.

Or you may wish to learn more by reading PreVeil’s white papers and blogs:

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is a CMMC Certified Professional and CMMC RP with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her Master of Science (M.S.) in Information Technology and holds certifications from the CMMC Accreditation Body (CMMC AB) as a CMMC Certified Professional (CCP), CMMC Registered Practitioner (RP), CMMI Associate, and holds additional certifications including, Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.