Home Inspections as part of CMMC?

Usual disclaimers, this article and the opinions within are my own and not those of any of my employers. I also will not be attempting to sell you anything. Hope you enjoy and find a benefit from the article. This is not legal advice.

I am compelled to write this article because I have seen enough discussion on the topic of will assessors visit home residencies as part of CMMC assessments? Remember, everything that has been said on the topic to date has been purely opinion. There has been no official guidance from the CMMC AB or DoD A&S PMO on this topic. So, I will weigh in with my opinion as well.

Short answer is yes, there will be some home visits by CMMC assessors. However, the caveats are important and all things have to be viewed through the lens of reasonableness.

Isn't this a violation of my constitutional rights? No. This is not a unreasonable search and seizure. It is an assessor coming to observe your practices that you use to protect CUI. Nobody forces you work with CUI or with the government and you can stop at any time if you refuse to be a good data custodian and follow the data owner's requirements. But I really don't want them to come to my house and I want to keep working for the DoD? Good news, you have until 2026 (unless the date slides) to figure out an alternative arrangement.

When should I expect to receive a home visit for CMMC assessment?

• The HQ for the company is a home residence.
• A data center is hosted at a home residence (whether HQ or not).
• A significant amount of physical CUI media (paper, disks, tapes) is stored at a home residence.

When should I not expect to receive a home visit for CMMC assessment?

• You are a regular employee for a company that has an office and you are working from home on a VPN, or are otherwise utilizing the full security stack of the enterprise that is being assessed elsewhere (presumably from in the office).
• The only CUI that is stored at the personal residence resides on a managed laptop with whole disk encryption protecting the Data-at-Rest. Negligible amounts of CUI in paper form locked in one or two drawers also okay. This scenario should be considered low risk.

Considerations to discuss here. The idea of primary or alternative work site does apply. A good practice should be creating a Telework Agreement that employees sign for working from home as a condition as either their primary or alternative work site. The Telework Agreement satisfies PE.3.136[a] if it defines the requirements for the employee and the signature from the employee satisfies PE.3.136[b] through policy enforcement with a low level of assurance. Would a visit by an assessor provide a higher level of assurance? Yes. Is it reasonable to do it for the extra benefit it would provide? No, not really. However, it would be reasonable to expect an assessor to review any telework agreements, verify signatures, and interview an employee but that interview could be virtual and not in the employee's personal residence.

The idea that every WFH employee for every company would receive a visit from an assessor is absolutely absurd, impractical, and should not happen in any scenario. A reasonable middle ground, if a medium level of assurance is warranted or desired by the DoD, would be to do a small random sampling of WFH employees. However, this would considerably increase the cost of an already extremely expensive assessment for very little gain, with the assumption that the only CUI present at a WFH is the electronic CUI on a laptop or PC's hard drive and potentially a locked drawer or two of paper CUI.

What if all of your storing and processing of CUI occurs in the cloud and only is displayed on your screen at home via a virtual desktop? My breakdown above doesn't really change too much. Your company has a location and an address for your DUNS, your CAGE code, and it is best to demonstrate your operating procedures to the assessor in the daily environment where that CUI is processed. Could you rent out a flex workspace to show your operating procedures and meet your assessor there as an alternative? Possibly but that would probably include its own caveats to make it acceptable.

My main takeaways:

• The answer is always "it depends."
• Blanket statements are bad. Only the sith deal in absolutes.
• Everything has to be viewed through the lens of reasonableness.
• Create a Telework Agreement for working from home that outlines employee responsibilities.
• Operating a data center out of your home is not the same as a standard employee working from home on a VPN. Do not conflate the two when discussing assessing personal residences for CMMC.
• If your business's location of record is your personal residence, then I would expect to receive assessors there.

Thanks for reading. Look forward to reading your comments on my opinion. My opinion subject to change when presented with new data.