Requirements for Home Based Government Contractors
Ever since the Cybersecurity Maturity Model Certification (CMMC) initiated back in 2019, there has been significant “spirited debates” on what do small business owners who operate home based businesses must do.
Questions ranging from:
- “Do I have to do a background investigation on myself?”
- “Isn’t it illegal for the government to enter my home without a warrant?”
- “Do I need to have a specific area of my home that is locked off from the rest of my own personal residence?”
This piece specifically focuses on what a Government Contractor (GovCon), who operates out of his/her own residence must consider in advance of trying to conform with CMMC.
First, do you anticipate being at Level 1 or Level 2? This is important because at Level 2 is where onsite physical inspections occur. If you anticipate you are only at Level 1, how did you come to that conclusion? You need to ask the following questions:
- Am I working on a project/program (now or anticipated) that has Space and Military applications? If yes, you will likely be at Level 2.
- Am I working on a project/program that directly supports the war fighter? (Think software that runs a Switchblade) If yes, you will likely be at Level 2.
- Am I working on project/programs where Government personnel’s personally identifiable information is in play? If yes, you are likely at Level 2.
If you are confident you will only need to be at Level 1, then the “concern” about an onsite inspection is null and void because it will not happen. UNLESS an issue arises that causes the Government to question the accuracy of your annual self-attestation. Please note that this should not be trivialized as the Justice Department has a new Division that makes this a core focus.
If the following thought has crossed your mind, “I don’t need to focus on CMMC because I am not supporting the Department of Defense”, you would be dead wrong. The U.S. Department of Homeland Security and even the Department of the Interior (Don’t ask me why, no idea on DOI) are gearing up to make formal requirements after the Federal Acquisition Regulations are revised (anticipated mid-2023).
So, let’s focus on the three questions described above. It is important to operate on details and facts, not conjecture.
Just the Facts, Mam
So, what do we know so far?
At the end of 2021, CMMC 2.0 was released. It referred to a scoping document (CMMC Assessment Scope, Level 2) that was released in December. This document defined four swim lanes of technology categories.
- CUI Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
If you are a home-based business, your technology stack will likely consist of:
- ISP provided router and/or firewall
- Wireless access point
- Laptops
- Tower stations
- Cloud based SaaS/IaaS
- Printer(s) Scanner(s)
These same technology assets will need to be conveyed in a network topology properly marked based on one of the four scoping categories (as well as in your inventory of assets).
As a result, CUI assets, Security Protection Assets, and Contractor Risk Managed Assets are all in scope for inspection during a formal CMMC Assessment.
If the following thought has crossed your mind, “We use Virtual Desktop Environments so the endpoint no longer matters and therefore the assessment team would not need to come to my home.” Again, you would be wrong. The assessment team comes out to evaluate the physical protection aspects of the assessment and if you have a CUI or Security Protection Asset in scope, they will come.
Home Inspection – The Government is Coming!
Okay, okay, calm down. First off, the people that are coming are private sector citizens that are authorized by the US Government to perform assessments. You could argue that they are acting as “agents” of the government but that is a far stretch. So now that we have our questions, now that we understand what may be in scope, is there a checklist that you can use to help with an onsite inspection of your home-based business? Here is a start.
- Does your home have a security system that includes video monitoring and direct linkage to local law enforcement?
- Unless you are single, does your work area have clearly defined boundaries?
- Dedicated room with four walls?
- Lockable ingress/egress point? If yes, are authorized access users defined (in writing) and keys tracked for inventory?
- Do you ever have visitors accessing the area, if so, are you logging this in writing?
- Do you have wireless access? If so, how is your work activities clearly separated from non-work activities (kids PlayStation, connected, etc.)
- Have you performed a formal background investigation on yourself (providing you do not have an active clearance)?
- Have you performed a vulnerability scan on all devices within the scope of your home office? (Tenable, Qualys, OpenVAS, etc.)
- Is your Incident Response Plan readily available in hard copy?
To learn more about how SoundWay can assist you better understand the implications as well as prepare for a CMMC L2 assessment, please contact us at: CMMC@soundwayconsulting.com or check us out at: CMMC Consulting Services – Maryland, Virginia and the rest of United States (soundwayconsulting.com)