July 13, 2021

Last Updated on January 13, 2024

Many defense suppliers pursuing Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance have employees working on government furnished equipment (GFE). A common question is, how will GFE potentially impact the scope of a CMMC Level 3 assessment? What are the issues to watch out for?

To get first-hand insight and tips on preparing for your CMMC assessment, Stacy High-Brinkley, VP of Compliance Solutions at Cask, was our guest on a recent episode of The Virtual CISO Podcast. Pivot Point Security CISO and Managing Partner, John Verry, hosts the show.

Keeping GFE out of CMMC scope

“GFE is supposed to be STIG’d and baselined and secure, and that comes under a whole different authorization process within the DoD Risk Management Framework (RMF),” notes Stacy. “So GFE is out of scope for CMMC.”

So does that mean you can just ignore your GFE for your CMMC assessment? Not quite…

“You need to ensure when you’re doing this kind of assessment that [your employees on GFE] aren’t using those assets for anything else, like attaching it to the corporate network or things like that,” Stacy specifies. “Most of those devices cannot attach to the corporate network. But I’ve seen some that have not been STIG’d properly… So you have to be careful with that. You have to really look at that and make sure they have the secure build on them, make sure that they aren’t touching the network, as much as you can, right? That’s out of scope. You’re not supposed to go there.”

How an auditor might look at GFE

“So when they tell me, ‘Hey, I’ve got these 10 GFE laptops, they’re not in the boundary,’ I might look at them and they’ll have the labels on from the government,” Stacy adds. “If I don’t see those labels, I might make them turn them on. But GFE is supposed to be labeled on the outside and on the laptop’s inside.”

“So, you might not have to look at, let’s say, the configuration management and the logging and things on those particular pieces of equipment, but you still have the obligation for, let’s say, physical security,” clarifies John. “And human resource security, of course, is still going to be in play.”

“And if those [GFE] devices are transiting [the company’s] network to get back to wherever they’re going, the agency or the prime contractor, do those network segments come into play, if that’s crossing a firewall and a router and a LAN segment?” asks John. “Is that segment in scope from your perspective; is that CUI relevant?”

“Let’s say someone’s on my network, and they plug in a GFE,” Stacy replies. “Right then I’m on high alert because they’re not supposed to be on my network. They’re supposed to be in their own tunnel; their own VPN back into the government network where they work.”

What not to do with GFEs

“Even though it is out of scope for CMMC Level 3, all the other assets, if they touch any of the assets that I’m assessing for Level 3, then that’s coming into scope and is coming into concern,” cautions Stacy. “That would concern me more [if I were a] DoD assessor. I’d be, like, ‘Whoa, whoa, whoa. Someone didn’t tell you, you can’t plug this into this network, even though it doesn’t work… Or does it? Is it not truly locked down?’ I would think that they would have those offline and de-scoped. But if I saw them, I’d definitely inquire. I’m just trying to keep them safe from any kind of breach.”

What’s Next?

If your DIB org is preparing for a CMMC audit, you’ll be very glad you listened to this podcast episode with Stacy High-Brinkley.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.