SC.2.178

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

2

800-171 Control #

3.13.12

CMMC Description

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

CMMC Clarification

You should configure collaborative computing devices so they cannot be activated remotely. Examples of such devices are cameras, microphones, etc. All users should receive a notification when a collaborative computing device is in use. Notification can include an indicator light that turns on when in use, or a specific text window that appears on screen. If a device does not have the means to alert a user when in use, the organization should provide manual means. Manual means can include, as necessary: * paper notification on entryways * locking entryways when a collaborative computing device is in use. Example You are responsible for IT operations in your organization. Your organization has a group of remote employees who collaborate using cameras and microphones attached to their computers. You want to prevent the misuse of these devices. You disable the ability to turn on cameras or microphones remotely on all devices. You also use a tool to alert users when their cameras or microphones are turned on. Although remote activation is blocked, this enables them to see if the devices were activated remotely. By doing this, you reduce the likelihood of someone being able to turn these devices on and listen or view what your employees are working on.

800-171 Description

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

800-171 Discussion

Collaborative computing devices include networked white boards, cameras, and microphones. Indication of use includes signals to users when collaborative computing devices are activated. Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-15

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.12

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-3

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

SC.2.178.[a] collaborative computing devices are identified;

Assessment Sub-Criteria 2

SC.2.178.[b] collaborative computing devices provide indication to users of devices in use; and

Assessment Sub-Criteria 3

SC.2.178.[c] remote activation of collaborative computing devices is prohibited.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15