A question came up today from a client that has a large remote workforce.
“How can my help desk manage end user devices while staying compliant with 800-171 and CMMC?”
For example, can we use remote access tools like LogMeIn or Chrome Remote Desktop, which allow always-on connections to the desktop?
The following is my opinion. Take it at your own risk.
The problem with always-on remote access programs
Assuming that your end user devices contain or access sensitive information, any remote access or remote administration tool you install needs to be highly secure.
The main problem is that the vendors of the tools need to meet security requirements for 800-171 or CMMC. When you install the programs, you essentially give the vendors admin access to your CUI. This is very risky.
What happens if the vendor is operating from another country, especially one that is not an ally of the US? If another government wants access to your data, and the vendor’s employees are in that country, they will be forced to help.
Before giving vendors access to my CUI, I want to see something on the vendor website that talks about FedRAMP compliance.
- The vendor’s employees need to meet requirements such as US citizens on US land
- The vendor data center needs to be in the US
- The web portal for access needs to be highly secure
- The system needs to log access attempts and you need to be able to get these reports for auditing purposes
If a tool doesn’t meet these requirements, you may still be able to POA&M or explain their use in the system security plan, especially if you have no other option, but I’d rather not try it.
What could work? Some remote access tools don’t call home to a vendor network. Instead of a web portal hosted by the vendor, try to find a tool that lets you host your own remote access server and make connections from there. You will still need to make a risk evaluation about whether the client software could have back doors, but that is the case for all software we install.
What can we use for remote management to do help desk support?
For Windows shops, connecting with Remote Desktop using domain credentials, using the corporate network or across a VPN, should be totally fine. Even better if you have multi-factor enabled.
Temporary screen sharing tools like Microsoft Teams, GoToMeeting, WebEx should be OK. They need to be tightly controlled using administrative policies and training. Make sure to explain this in your system security plan.
For example, you might tell your users to follow these rules:
- Never grant remote control of the session to any external person. If an outside vendor is helping you, make them talk you through what to click.
- Always verify the identity of internal help desk personnel before giving them remote control.
- Always check that the screen sharing session is ended and the program is closed when done.
- Stop the screen sharing session and lock your computer before stepping away.
In addition, your engineers should implement technical controls to monitor for misuse.
- Use baseline process scans to find screen sharing programs and disable/block them if they try to keep a process running all the time.
- Monitor long-running sessions across your firewall (more than 3 hours, for example), and track down what is going on.
- Restrict installation of unapproved remote access tools (blacklist them, they are high-risk)
What about tools for when my user is locked out?
The easiest solution is to have a unique local recovery account pre-assigned to each computer. It should have a unique user name with a password that is unique, complex, and long (16+ chars). No one in your organization (not even your admins) should know the credentials under normal circumstances. The credentials should be kept in an encrypted file or in a safe.
When your user gets locked out of their laptop and you can’t reach them normally, help them log in with this recovery account. Get a screen sharing session started, fix the problem, and reset the recovery account to a new password.
And yes, you might have to accept the pain of shipping laptops back and forth if all else fails. Have a couple extra laptops in reserve.
Lots to think about here. I hope that gets your brain juices flowing. Help others by commenting with your thoughts and experiences! I’d love to see suggestions for remote access programs that should be safe to use on CMMC and 800-171 networks.