While PreVeil’s platform protects CUI in Email and Files, CUI is also usually processed, stored and/or transmitted via these types of endpoint devices, which bring them in-scope for NIST SP 800-171 and CMMC compliance.

What are Endpoints?

Endpoints are physical devices—such as desktops, laptops and smartphones—that communicate back and forth with a computer network and allow users to get work done. Because they are also entry points to networks, endpoints are appealing to cybercriminals, who exploit endpoints’ vulnerability to gain access to networks.

This blog offers a CMMC compliance tool checklist to help you identify the endpoints you need to protect and the possible technology solutions you may want to consider to achieve compliance.

Note, however, that the possible solutions presented here are offered to help you sort through the sometimes overwhelming marketplace—not as an endorsement of those solutions.

Note too that NIST SP 800-171 and CMMC compliance will result from a mix of technologies, policies and procedures. Adopting a technology solution without appropriate policies and procedures will not lead your organization to NIST SP 800-171 compliance or CMMC certification.

Endpoint Protection Checklist for CMMC Compliance

The questions posed here flow directly from the NIST SP 800-171 security controls focused on endpoint protection. This format is designed to help your organization better understand the practical implications of the required controls, and take the necessary steps to meet them.

  1. Does your organization have an Antivirus/Antimalware solution?
    Possible solutions – Microsoft Defender, Crowdstrike
  2. Do all your organization’s endpoint devices have hard drive encryption that is FIPS 140-2 validated?
    Possible solutions – Bitlocker (Windows), FileVault (Mac)
  3. Does your organization have a vulnerability scanning agent?
    Possible solutions – Microsoft Sentinel, SentinelOne
  4. Does your organization have Multifactor Authentication (MFA) on its endpoint devices?
    Recommendations for solutions – Microsoft 365 MFA, Duo Federal
  5. Does your organization have a log reporting solution, preferably a SIEM (a Security Information and Event Management tool), that can manage audit log correlations? Does your SIEM also have monitoring capabilities, for early threat detection?
    Possible solutions – NeQter Labs, Microsoft Sentinel, Splunk
  6. Does your organization have a device management and tracking solution?
    Possible solutions – Microsoft Intune, Google Endpoint Management

NIST SP 800-171 compliance and CMMC certification

Defense contractors have been required to comply with NIST SP 800-171 since 2017, and CMMC is steadily working its way through the federal rule making process toward implementation. See timeline below.

Any organization with a DFARS 7012 clause in their contract will need to comply with NIST 800-171’s 110 security controls in order to properly protect the CUI they manage. Importantly, and as this blog shows, CUI exists in your email and files as well as your endpoints. Your organization needs to ensure it is taking the proper steps to secure these endpoints per the requirements of NIST 800-171.

To learn more

For more information on endpoint compliance solutions and other CMMC compliance tools:

Or you may wish to learn more by reading PreVeil’s white papers and blogs: