While PreVeil’s platform protects CUI in Email and Files, CUI inevitably also comes in touch with your workplace’s endpoints. Indeed, CUI is frequently processed, stored and/or transmitted via these types of endpoint devices. Thus many NIST SP 800-171 security controls focus on endpoint protection.

What are Endpoints?

Endpoints are physical devices—such as desktops, laptops and smartphones—that communicate back and forth with a computer network and allow users to get work done. Because they are also entry points to networks, endpoints are appealing to cybercriminals, who exploit endpoints’ vulnerability to gain access to networks.

Forensic analysis of a major breach of a Las Vegas casino’s financial data on its high-end rollers found that cybercriminals gained entry to the casino’s network via the IoT device that monitored the temperature of the water in the fish aquarium in the casino’s lobby.

This blog offers a straightforward CMMC compliance tool checklist to help you identify some of the endpoints you might need to protect your organization’s CUI. The checklist is is based on straightforward questions that flow directly from the NIST SP 800-171 controls focused on endpoint protection. It also offers possible technology solutions you may want to consider to achieve compliance.

Note, however, that the possible solutions presented here are offered to help you sort through the sometimes overwhelming marketplace—not as an endorsement of those solutions. Also, this is not a comprehensive checklist of what it takes to secure your organization’s endpoints, but rather it serves to demonstrates an effective approach to compliance.

Note too that NIST SP 800-171 and CMMC compliance will result from a mix of technologies, policies and procedures. Adopting a technology solution without appropriate policies and procedures to ensure that it’s working effectively will not lead your organization to NIST SP 800-171 compliance or CMMC certification.

Endpoint Protection Checklist for CMMC Compliance

The questions posed here flow directly from the NIST SP 800-171 security controls focused on endpoint protection. This format is designed to help your organization better understand the practical implications of the required controls, and take the necessary steps to meet them.

  1. Does your organization have an Antivirus/Antimalware solution?
    Possible solutions – Microsoft Defender, Crowdstrike
  2. Do all your organization’s endpoint devices have hard drive encryption that is FIPS 140-2 validated?
    Possible solutions – Bitlocker (Windows), FileVault (Mac)
  3. Does your organization have a vulnerability scanning agent?
    Possible solutions – Microsoft Sentinel, SentinelOne
  4. Does your organization have Multifactor Authentication (MFA) on its endpoint devices?
    Recommendations for solutions – Microsoft 365 MFA, Duo Federal
  5. Does your organization have a log reporting solution, preferably a SIEM (a Security Information and Event Management tool), that can manage audit log correlations? Does your SIEM also have monitoring capabilities, for early threat detection?
    Possible solutions – Microsoft Sentinel, Splunk
  6. Does your organization have a device management and tracking solution?
    Possible solutions – Microsoft Intune, Google Endpoint Management

NIST SP 800-171 compliance and CMMC certification

Defense contractors have been required to comply with NIST SP 800-171 since 2017, and CMMC is steadily working its way through the federal rule making process toward implementation. See timeline below.

Any organization with a DFARS 7012 clause in their contract will need to comply with NIST 800-171’s 110 security controls in order to properly protect the CUI they manage. Importantly, and as this blog shows, CUI exists in your email and files as well as your endpoints. Your organization needs to ensure it is taking the proper steps to secure these endpoints per the requirements of NIST 800-171.

To learn more

For more information on endpoint compliance solutions and other CMMC compliance tools:

Or you may wish to learn more by reading PreVeil’s white papers and blogs: