This is a short article on understanding on how smart watches can potentially fall in-scope for the NIST SP 800-171 / Cybersecurity Maturity Model Certification (CMMC) Maturity Level 3 requirements.

We often think about our cell phones, laptops, and desktops as information systems, but tend to forget the growing trend of smart watches. Which have all the capabilities of the above-mentioned devices. When you look at DFARS 252.204-7012, there are several definitions to keep in mind.

What is considered an information system?

First, an Information System means, “a discrete set of information resources for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” This definition would encompass smart watches and similar technologies.

Next, Covered Defense Information means, “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies…”

Lastly, Covered Contractor Information System means, “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits Covered Defense Information.“

Is your smart watch in-scope?

If you receive an email that contains CUI on your smart watch, your smart watch will now be in-scope for meeting CUI security requirements. Similarly, if you open a document containing CUI from an online cloud storage application using your smart watch, your smart watch will also be in-scope for meeting CUI security requirements.

Let’s look at how NIST SP 800-171‘s concepts of “security domains” can be used to determine how smart watches would be scoped. If you used your smart watch to process, transmit, and/or store CUI data, your smart watch would be subject to the CMMC CUI protection requirements (i.e., it would be in-scope and reviewed as part of your CMMC assessment) because it is used to “process, store, or transmit CUI, or…provide[s] security protection for such components” (NIST SP 800-171 Revision 2, Section 1.1, 2nd Paragraph). This would also be true for other applications that are used to process CUI, including, without limitation:

• Viewing/sending/receiving emails via email application such as Outlook
• Editing/viewing documents in cloud storage applications such as One Drive

Your watch and multifactor authentication

Where things get more interesting is if you only used your smart watch to approve a multifactor authentication prompt, rather than handling CUI, your device might not be in-scope. Although a multifactor authentication service, such as Cisco Duo Security or Microsoft Authenticator, could be seen as providing security protection for “components” that handle CUI, it is not clear that NIST or DoD would consider the smart watch as being in-scope since all you would be doing is “pushing a button”. Also, it is not clear whether or not personal devices are authorized on a Covered Contractor Information System. DoD has indicated that they will publish scoping guidance in the near future, and hopefully that guidance will help clarify these kinds of issues.

In order to avoid this common and often overlooked issue, organizational policy should dictate either the use or prohibition of smart watches in order to protect the confidentiality of CUI. As a security best practice, it is best to remove all applications from your smart watch where CUI could potentially be processed, stored, and/or transmitted.

Author: Fernando Machado, CISSP, CISM, CISA, CEH