CMMC Compliance: How to Secure End-Users and Endpoint with VMware EUC

Overview

Screenshot 2021-07-26 at 17.12.01

Introduction

In this document, we will briefly review CMMC components and how VMware Workspace ONE® End-User Computing (EUC) solutions can logically align to the NIST SP 800-171 framework to provide a DIB contractor/integrator/service provider (SP) (or GovCons) a roadmap to meet certification requirements.

This document will focus on Level 3 = Managed and designated as Good Cyber Hygiene. As a general guideline, we will highlight those CMMC practices up to Level 3 against applicable VMware EUC products that would provide the capabilities within the suite to satisfy the controls for those practices.

Many of these CMMC practices are already deployed within numerous FedGov and private sector customers as on-prem solutions and guided by controls aligned to 800-171 via National Information Assurance Partnership NIAP: VMware Product Compliant List. Some practices are included within VMware-hosted FedGov EUC solutions within GSA FedRAMP Marketplace for VMware. Finally, some are included within the DoD’s own DoD STIG for UEM - VMware Security Technical Implementation Guides (STIGs), which make up a customers’ ability to deploy, manage and secure endpoints within an enterprise and how they may support the implementation of CMMC practices based on the 800-171 Controls that align to them.

Note: This document is only intended to provide a brief product capabilities guideline, which could be used when mapping to CMMC requirement areas and practices/controls. It is not intended to be specific or fully navigate readers through the entire CMMC accreditation process, for example, working with a third-party certified assessor for the Department of Defense’s supply-chain cybersecurity program or going through a Third-Party Assessment Organization(s) (3PAO)’s audit for full certification, and so on.

Also, it is not intended to provide analysis or mapping of other VMware solutions beyond the scope of the EUC arena. See the CMMC whitepaper for further VMware product analysis for the data center/network/boundary elements.

Lastly, this overview is not meant to cover the recent Executive Order 14028 on Improving the Nation’s Cybersecurity nor those specific enhancements targeted for the NIST Secure Software Development Framework (SSDF). Those are being addressed separately from this guidance as a part of VMware’s critical software & secure software development lifecycle model (SSDLC).

Audience

This document is intended for IT administrators and product evaluators who are familiar with VMware's Anywhere Workspace powered by EUC and VMware Workspace ONE. Familiarity with the End-User Computing environment and modern management that include device, app and identity management is assumed. Knowledge of other technologies, such as VMware Horizon, Security, Secure Access Service Edge (SASE), and Zero Trust Architecture (ZTA) is also helpful.

Cybersecurity Maturity Model Certification Overview

What is CMMC?

The DoD Cybersecurity Maturity Model Certification (CMMC) is the brainchild of the U.S. Department of Defense (DoD) in order to incorporate the existing National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171 - Protecting Controlled Unclassified Information (CUI) in Non-Federal Systems framework, as well as guidance from CERT-Resiliency Management Model (C-RMM) into measurable requirements to vet the controls implemented through certification by an auditor.

Additionally, CMMC is a true tangible certification path for the companies that serve within the Defense Industrial Base (DIB) and it covers all DIB and the DoD / 4th estate Gov't Contractor(s) (GovCons). However, other FedGov agency groups, including Intel Community (IC) and Dept. of Homeland Security (DHS) & General Services Administration (GSA) are looking to incorporate the program into its acquisition and contracting vehicles as well. So, it will soon no longer be possible for a GovCon to ignore compliance or to claim a ‘self-attestation’ of compliance.

What is the goal of CMMC?

In concert with the NIST SP it’s derived from, the goal is to protect CUI data that may reside on or pass-through non-government systems outside the direct control of federal / DoD purview and in use by contractually obligated DIB GovCons. CMMC compliance ensures that the minimum controls are in place to fend from foreign/nation-state actors and third-party malicious actors gaining access to these systems or the data on or passing through them.

Protecting the government’s Intellectual Property (IP) while in support of the supply chain is paramount. As has often been the case, past penetrations/exfiltration’s or cyber espionage activities originated from outside the government’s physical/ logical perimeters; rather, through these entities or affiliated GovCons, as was the case in recent high-profile SolarWinds or the previous Lockheed F-35 Joint Strike Fighter program breaches.

The NIST framework provides the foundations of Controls, referred to within the CMMC as Practices, to be the foundation of the certification criteria. CMMC's Accreditation Body (AB) has a certification path for authorized third-party assessor organization (3PAO) assessors that will be performing audits and evaluation for CMMC. Registered Provider Organization (RPO) and their Registered Practitioner(s) RPs) provide advice, consulting, and recommendations to their DIB clients prior to the audit. So, the auditor would assess those Practices that a DIB and potentially an RPO/RP had implemented for an entity’s certification against one of five escalating CMMC maturity levels, ranging from Basic > Advanced/Progressive Hygiene.

How do I define the data or systems to be inclusive or necessary to comply with CMMC?

The agency or branch in question would define what level and compliance/certification is necessary through the existing acquisition regulations under Defense Acquisition Regulations Supplement (DFARS) and specifically, clause 252.204-7012 & defined under DFARS within Request for Proposals/ Information/ Quotes (for example, RFx's). Thus, the government agency/branch specifies this data, typically after their own security/compliance and agency authorizing official leverages a process, such as the NIST Federal Information Processing Standards FIPS 199 for Security Categorization of Federal Information and Information Systems or the FIPS 140-2 Encryption Standards guides. After this classification audit and process is performed, the subsequent level of CMMC would be designated (for example, Levels 1>5).

CMMC Applicability & Function

The types of information to be protected will determine what levels of CMMC protection are required and contained within the RFx submission and compliance obligation of the responding organization and their subs. Thus, CMMC will be required of DoD contractors who process, store, or transmit federal contract information (FCI) which is CUI in nature, on behalf of the DoD. For each contract, the government must stipulate the CMMC level of protection based on the sensitivity of the information and the potential threat. Organizations must select and maintain a CMMC level that can be accomplished efficiently and cost-effectively.

At a minimum, contracts that involve FCI data will require CMMC Maturity Level 1 compliance, and contracts that involve CUI will require CMMC Maturity Level 3 or higher. CUI is data that is created or processed by, or on behalf of, the federal government. The National Archives CUI Registry organizes CUI data into 20 different data categories: Intelligence, critical infrastructure, financial, NATO-related, statistical, legal, defense, export control, tax, and so on.  

The CMMC recognizes that not all contractors will store, process, or transmit equally sensitive data. Therefore, the CMMC model is based on this multi-tiered approach to allow a more cost-effective opportunity for smaller businesses to support contracts at a lower CMMC Level for contractors that handle data with lower sensitivity.

The CMMC model has 17 domains. Each domain outlines specific processes, capabilities, and practices. Figure 1 describes the relationship between these key terminologies.

image 78

Figure 1: CMMC Model Framework (Simplified Hierarchical View)

As previously mentioned, each CMMC level comprises its own practices and those practices of the levels below it. For example, Level 3 requires all practices from Levels 1 and 2, plus an additional 58 practices required for Level 3 itself. Level 5 is cumulative and requires all 156 practices found in Levels 1 > 4, plus an additional 15 practices (see Figure 2). So, to achieve an audit and certification for CMMC, each of those level’s controls must both be shown to be ‘implemented’ and ‘in-practice’ from a historical standpoint (this latter point has been a challenge and under discussion and review as of writing).

image 77

 

Figure 2: CMMC Practices Per Level

The CMMC model addresses the following 17 security domains, 14 of which are derived from the NIST FIPS Pub 200 and NIST 800-171, as well as 3 additional new control domains represented in Table 1:

Access Control (AC)

Asset Mgt. (AM) *

Audit & Accountability (AU)

Awareness & Training (AT)

Config Mgt. (CM)

Identification & Auth (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Personnel Security (PS)

Physical Security (PE)

Recovery (RE) *

Risk Management (RM)

Security Assessment (CA)

Situational Awareness (SA) *

Sys Comm Protection (SC)

Sys & Info Integrity (SI)

Key: * denotes new control family for CMMC

Table 1: 17 Security Domains of CMMC

These control families are based largely on the existing NIST SP 800-171 framework but add an additional three control families, which include Asset Management (AM), Recovery (RE), and Situational Awareness (SA). At Level 3, the CMMC model encompasses all 110 security requirements defined in NIST SP 800-171 and 20 additional controls. Capabilities are core system or program requirements that must be possible within the system. There are 43 CMMC capabilities across the 17 domains of the CMMC model.

For these additional controls and for the controls found in Levels 4 and 5, CMMC incorporated key practices and processes from other standards and references such as NIST SP 800-53, Aerospace Industries Association (AIA) - National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2. Table 2 shows the primary source frameworks for all CMMC controls by level.

CMMC

Level

NIST 800-171 Requirements

Draft NIST SP 800-171B

Additional Requirements

Total

Requirements

Level 1

17

-

-

17

Level 2

65

-

7

72

Level 3

110

-

20

130

Level 4

110

11

35

156

Level 5

110

15

46

171

 Table 2: CMMC Source Framework for Controls by Level

Key CMMC Deployment Considerations

To reach Level 3, GovCons should gauge some key considerations before an audit, such as existing solutions and tools in the IT architecture to create a baseline and what needs to be augmented. In practical terms, there are 5 areas of focus to consider prior to an audit, to ensure whether an organization has an existing investment in the appropriate areas for protecting CUI data:

  1. Data: Ensure that both the data and all of the elements, for example, network, servers, email, databases storing and routing the CUI data are secured, based on the different control groups within CMMC / 800-171 (for example, Access Controls (AC)).
    1. Other areas should include document marking, Data-at-Rest (DaR) and Data-in-Transit (DiT) encryption of data, as well as DNS filtering, and Intrusion Prevention/Detection solutions to help protect sensitive information under the terms of CUI and so on.
    2. Conditional access policy enforcement and robust cloud-based content management to both the data and the apps, securely via any device, anywhere.
  2. Cloud: Using secure cloud solutions can help to enclave and containerize the CUI data, including the tools within those environments to manage and deploy to the end-users; so, a firm can provide the segmentation from the rest of the company’s operations necessary to lower the attack surface and provide for customized controls that correlate to the practices necessary to achieve certification for CMMC.
    1. Leveraging existing accredited cloud solutions, which have already laid the groundwork for 800-171 compliance, such as General Services Administration (GSA) Federal Risk & Management Program (FedRAMP) authorized Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS), can jumpstart that compliance. 
  3. Endpoints: Company-owned tools, including mobile-enabled, desktops, laptops and cloud-based apps must ensure there are clear policies governing their access and use. Device & App Management solutions are paramount to ensuring that they are and provide the flexibility to cover the large use cases associated with them.
  4. End-users: A company’s greatest assets are unfortunately often its greatest weakness; the system’s end-users themselves.Not only are the aforementioned tools so important, so too is continuous training, education, and auditing within the entire end-user’s environment.
  5. Identity: Lastly, providing for automation of Identity Management and access to and through the devices and apps are paramount to not only a good end-user experience (UX) but also to integrate with DoD 2-Factor Authentication (2fA)/Multi-factor Authentication (MFA) mandates, including Common Access Card (CAC) use through Personal Identity Verification (PIV)-D (Derived Credentials).

An additional area to consider prior to any formal engagement is potentially leveraging existing or previous assessments or compliance in other arenas to have likely provided a baseline or comparable framework, for example, ISO 27001 or PCI or even engaging a Registered Provider Organization (RPO) firm who specializes in CMMC assessments may be worthwhile, as opposed to going at it alone.

But if a GovCon does so, there are other great resources to review to help ensure that these and other elements of a GovCon’s environment is ready for an official audit is to use one of the CMMC’s own assessment guides (Levels 1 & 3 are currently available as of publication).

Workspace ONE Solution

The VMware EUC product portfolio is made up of Workspace ONE, a digital platform that delivers Unified Endpoint Management (UEM) for most end-user device types, and provides device, application, content/end-user experience management, an app store/catalog, and identity & access management (IdM/IAM), as well as an integrated service to provide access controls, application management, single sign-on (SSO), data loss prevention (DLP), securing browsing, conditional access and multi-platform endpoint management.

The existing portfolio of VMware EUC solutions have been certified under GSA’s FedRAMP program which complies with Federal Information Security Modernization Act (FISMA) and NIST’s corresponding SP 800-53, a predecessor and more involved set of controls, which SP 800-171 is based on. And although as of this writing, reciprocity for leveraging this existing accreditation path in lieu of a 3PAO separately has not yet been expressly defined by the CMMC-AB, it is anticipated in numerous discussions and forums that a pass-through of FedRAMP Moderate IL2 will equal Level 3.

Thus, as an existing or future government contractor with DoD data representative of Level 3, the VMware Authorized FedRAMP environment and deployment architecture can be used by the DIB customer to deploy the same Practices represented in the control groups defined under NIST SP 800-53 and map them to SP 800-171 / CMMC framework for certification baselining.

Workspace ONE is built on VMware's Workspace ONE UEM technology and integrates with virtual application delivery via VMware Horizon on a common identity framework, including PIV-D delivered by VMware Workspace ONE Access. The platform enables IT to deliver a digital workspace that includes the devices and apps of the business's choice through Workspace ONE Intelligent Hub (Intel Hub) Services, without sacrificing the security and control that IT professionals need while implementing key security controls, such as encrypting data both at-rest and in-transit with Tunnel and secure apps such as Workspace ONE Boxer E-Mail, while providing data isolation and containerization and user group segmentation. And finally, a robust Workspace ONE Intelligence service that aggregates and correlates data from multiple sources to give complete visibility into the entire environment and produces the insights and data that will allow you to make the right decisions for your Workspace ONE deployment, leveraging its built-in automation engine that can create rules to take automatic action on security issues. Additionally, VMware EUC provides for a secure VDI deployment in the Workspace ONE Horizon Service, leveraging a multi-tenant, cloud-scale architecture to enable administrators to deploy virtual desktops and applications across public and private clouds.

EUC products 1

                [UEM]             [Access]      [Hub Services]   [Intelligence]    +       [Horizon]

Figure 3: EUC Portfolio Logical View with Product Links

Today’s technology infrastructure is complex; VMware products aim to simplify that infrastructure and develop a more secure environment for customers. VMware’s approach to enabling them to meet regulatory controls includes compliance kits, validation of capabilities, and VMware products’ ability to meet compliancy requirements (for example, GSA FedRAMP & Management Program – FedRAMP), as well as producing a framework focused on assembling products to a holistic compliance solution.

VMware prioritizes data protection and system security within an enterprise through Workspace ONE and its core components. The framework incorporates both EUC and cloud-hosted product capabilities aligned to enable a customer to perform CMMC controls required for compliance product capabilities and framework leverage those existing NIST SP 800-53 & 171 as their foundational security framework to create a series of standards and baselines. These are broadly illustrated in Table 3:

CMMC Practice Control

UEM

Access

Intelligence

Intelligent Hub

Horizon

Access Control (AC)

Asset Mgt. (AM) *

 

 

 

Awareness & Training (AT)

 

 

 

Audit & Accountability (AU)

 

 

Config Mgt. (CM)

 

 

 

Identification & Auth (IA)

 

 

Incident Response (IR)

 

 

 

Maintenance (MA)

 

 

Media Protection (MP)

 

 

 

Personnel Security (PS)

 

 

Physical Security (PE)

 

 

 

Recovery (RE) *

Risk Management (RM)

 

 

 

Security Assessment (CA)

 

 

Situational Awareness (SA) *

 

 

Sys Comm Protection (SC)

 

 

 

Sys & Info Integrity (SI)

 

Table 3: CMMC Security Domain Mapping to VMware EUC

Table 4 contains a service description of each of VMware’s EUC compliance utilities per Practice Control and some additional associated material links in addition the ‘Product Release Notes’ in linked in Table 3.

CMMC Practice Control

VMware EUC Component(s)

VMware EUC Service Reference(s)

(AC)

UEM, Access, Intelligence, Hub & Horizon

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

Docs: Release Notes for WSO Intel Hub

TechZone: WSO Horizon Architecture

(AM) *

UEM & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

(AT)

UEM & Hub

TechZone: WSO UEM Architecture

Docs: Release Notes for WSO Intel Hub

(AU)

UEM, Intelligence & Hub

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

Docs: Release Notes for WSO Intel Hub

(CM)

UEM & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

(IA)

UEM, Access & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

(IR)

UEM & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

(MA)

UEM, Intelligence & Hub

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

Docs: Release Notes for WSO Intel Hub

(MP)

UEM & Access

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

(PS)

UEM, Access & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

(PE)

UEM & Access

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

(RE) *

UEM, Access, Hub, Intelligence & Horizon

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

Docs: Release Notes for WSO Intel Hub

TechZone: WSO Intelligence Architecture

TechZone: WSO Horizon Architecture

(RM)

UEM & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Intelligence Architecture

(CA)

UEM, Access & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

(SA) *

UEM, Access & Intelligence

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

(SC)

UEM & Access

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

(SI)

UEM, Access, Intelligence & Horizon

TechZone: WSO UEM Architecture

TechZone: WSO Access Architecture

TechZone: WSO Intelligence Architecture

TechZone: WSO Horizon Architecture

Table 4: CMMC Security Domain Mapping to VMware EUC Service References

By effectively taking into consideration the deployment and integration of VMware’s EUC suite, especially when coupled with our FedRAMP environment, a GovCon customer can take great strides prior to any formal assessment that the data is being hosted, managed and controlled properly in regard to SP 800-171 and the CMMC mandate. 

Furthermore, VMware is committed to supporting government IT programs and the extended ecosystem / supply chain worldwide and we continue to expand our compliance programs to meet the requirements of the most demanding missions. For more information on VMware compliance, see the following:

Lastly, be sure to subscribe and look for our enhanced tutorial and design considerations guideline on Digital Workspace Tech Zone that will be made available later this summer/fall as the final CMMC regulation details are ratified by the DoD and implemented into the program.

Additional Resources

For supporting documentation, explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/06/02

  • Guide was published.

About the Author

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

 

 

 

 

Filter Tags

Workspace ONE Horizon Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Intermediate Manage Zero Trust Public Sector