Cloud-only (GCC High), no VPN, remote workers on public/hotel Wi-Fi. Is Conditional Access + TLS enough for 3.1.12/3.1.16/3.1.17?
Fully cloud, no on-prem. Looking for anyone assessed with a similar setup.
Our environment:
- CUI lives in GCC High + on Intune/BitLocker-managed laptops
- Every session requires Conditional Access (compliant device + MFA)
- All traffic to GCC High is TLS 1.2+/FIPS, end to end, regardless of network
- Local Wi-Fi at HQ WPA3-Enterprise, internet-only, no on-prem resources behind it
- Employees travel often, connect through hotel/public Wi-Fi, sometimes open
Our position:
- Nothing in 3.1.12–3.1.15 requires trusted transport, only that the session be controlled/monitored/encrypted, which we do
- Scoping 3.1.16/3.1.17 to our own Access Points, not networks we don't own public system / home office.
- Leaning on DoD FAQ v5: B-A8 (ciphertext on unsecured "common carrier" networks is an accepted risk) and F-Q4 (encrypted CUI transiting networking components doesn't pull them into scope)
- Not deploying a VPN, since the session is already fully protected independent of network
Questions:
- Did your C3PAO accept "no VPN" for a cloud-only org, or push back?
- Did public/hotel Wi-Fi come up as an issue at all, given B-A8/F-Q4?
- For 3.1.16/3.1.17, did assessors stay scoped to your own access points, or try to pull remote networks in?