u/Verdant_Bloom1533

▲ 1 r/CMMC

3.1.18 BYOD identification and authorization

Environment: GCCH (Intune & Entra)

Current configuration

All employees are authorized to access the non-CUI email system (CRMA) since they've signed a BYOD agreement. We go through the following process:

  1. User signs into corporate email system through the managed Outlook app
  2. We get an alert
  3. We update hardware database to include the phone if all seems well

___

In hindsight this seems dubious. Would assessors be dissatisfied with granting access before explicitly identifying and authorizing a specific device? I'm not even sure how I'd be able to identify the device beforehand and add it to a BYOD group anyway.

reddit.com
u/Verdant_Bloom1533 — 5 days ago

Interim is... useless?

I work at a small company contracting for the Department of the Navy. I got my interim Secret relatively quickly and we were excited to start work. However, my FSO informed me that I need final determination in order to fill out a SAAR and gain access to the systems I need to do useful work (even just Flank Speed access would be more than enough).

I've been sitting here for a few months now sort of waiting on overhead pay being somewhat useful but ultimately still losing out on revenue. My supervisor and I are pretty confused because we don't see what the point of my interim is if I am in the same position as when I didn't have it.

Does the Department of the Navy have stricter requirements around interim? I don't exactly have anyone I know I can inquire outside of my company.

reddit.com
u/Verdant_Bloom1533 — 20 days ago
▲ 2 r/CMMC

Allowing CUI assets to connect to private guest WiFi

Architecture: Cloud enclave approach (CUI laptops + GCCH)

Is there any reasonable way to defend allowing CUI laptops to connect to the private office guest network, or any public guest network for that matter? If so, what measures are generally needed? (e.g. Client isolation, logically segmented access point, always-on VPN for CUI laptop when off corporate network, etc.)

Would permitting CUI laptops to connect to the private office guest network bring that wireless access point into scope (since it is now capable of transmitting CUI) or would it remain out of scope just as it would at home, hotel, etc.

reddit.com
u/Verdant_Bloom1533 — 25 days ago

What's are some ways to receive a recurring notification?

I'm going crazy. I need to do a basic task by 10am every day for which I receive an automated email by then if I don't do it. That automated email ends up doing a better job of reminding me than I can, but by then it's obviously too late.

I feel like I tried Microsoft To Do, but they would stop triggering if I didn't mark it off as complete.

I'm looking to hear multiple solutions, both with process and with habit. (This has happened 9 times in 50 days.)

reddit.com
u/Verdant_Bloom1533 — 1 month ago
▲ 8 r/CMMC

CMMC email scoping

Expanding on an earlier post CMMC emails since I'm new to this process and don't understand scoping very well.

---

It's common to have CUI sent to our email system that we don't want CUI in, usually received from customers but possibly from employees sending it out/internally. In a full-cloud/enclave environment (GCCH), what are the considerations for the email system during the scoping process?

My questions:

  1. Is it CRMA? Or can I take it out of scope?
  2. Is the BYOD container for that email also CRMA because there's a risk of receiving CUI?
  3. Will the fact that an enclave (CUI) laptop can theoretically send CUI to a business operations (non-CUI) laptop bring those into scope as well?
  4. Generally, what considerations do I need to implement to move towards compliance?

So far, I am thinking the following things might apply:

  • A formal policy disallowing CUI in that email system
  • Reasonable measures to catch and log CUI entering the email system
    • Reject emails/attachments with a sensitivity label (...although people seldom take the time to tag)
    • Maybe classification through Purview?
  • A CUI spillage procedure
  • Ability to prevent screenshots, prevent copying, or remotely wipe on BYOD email container
reddit.com
u/Verdant_Bloom1533 — 2 months ago