Just as the title reads. Have a user that needs to remote in from home and use their computer.
Basically VDI but not “V” and hosted behind our Firewall.
Is there an application for that or what is the best way that is CMMC 2.0 L2 compliant?
(FIPS Compliant) VPN and RDP.
We have a policy that clearly states that we only allow devices owned/managed by the organization and are fully compliant to connect to our in-scope network. In the case of remote access, users who require it (almost all of them LOL) must use a laptop we give them. This whole process is documented in our SSP.
Our VPN solution will only allow the device to connect if it has our AV agent installed, and its up to date with patches. We’re the only ones who can install the AV agent, which means only laptops we manage and authorize for VPN will have it, and could VPN. We monitor device AV and patch status very closely, so if a system is getting close to being out of compliance, the user is notified and required to work with us to make sure it’s patched and back to full compliance. They’re also given a refresher training course on their responsibility to keep those devices online regularly so they get patched and AV agent updates, before they can have the laptop back.
As off now, they can connect from that laptop assigned to them to any internal system in our network via RDP or SSH, once they VPN. We’re confident that meets the controls but we’re working to restrict this further using VDI. Once we’re done in the next couple of weeks, the laptop will only be allowed to connect to a single device managed by IT which will let them spin up an ephemeral VM (only active for that session, not allowed to store any data, and it’s destroyed at the end of the session), which can then RDP to their authorized system inside our network. A little convoluted and not deemed a requirement but we believe it’s worth the extra level of protection and doesn’t complicate the users workflow as much as it sounds like when i explain it 
Hope that helps a bit. We’re still working through some of the logistics and testing. I just happened to be working on the SSP so this was fresh in my mind so figured I’d share what we’re doing.
I’ll bite, Answer is no. Why? it is a personal computer that is off scope. VPN or RDP FIPS not even relevant. That personal computer, does not meet your documentation scope for access to CUI and ilthe time you would consume trying to justify that in documentation would be more than just buying the user and in scope laptop. I can think of about 10 controls that would not be satisfied if you allowed that computer to login to your network. NIST is 90% Behavior and 10% Technology, and allowing a personal computer on to your network for any reason is not good behavior.
Cloudflare for Government. You can use Cloudflare tunnels to allow Zero Trust access to RDP for the machine.
Azure virtual desktop.
This is literally exactly what VPNs allow you to do
Man, I’m not sure what the best application or system to implement for this would be.
It sounds like you want people to be able to remote desktop to company machines in the office from their personal devices at home?
The issue with this is that you’d have to keep the personal devices out of scope because you’re probably not able to manage them or ensure controls are met on those devices. Unless you’re able to ensure access controls and all CMMC controls are met without needing to manage or include the home devices in scope, it would not be compliant.
If they’re using a 2nd company managed device from home to connect to the machine in the office that would make things more straightforward, you could use a VPN like others suggests, RDP and confugure the home devices to meet controls.
I think it would be better to set that user up with a laptop if you can and have them take it home with them. Op set them up with VDI.
Apache Guacamole on FIPS ubuntu if BYOD. If org owned and managed, Apache Guacamole can still be good but you could to the normal VPN (FIPS…) and RDP, which many people are used to and understand.
What Firewall do you have? You may have the ability to use SSLVPN.
Recommendation on VPN?
This is the way. As long as the RDP session is locked down to only send KVM back and forth.
Why do you need to give them remote access to the machines instead of making them laptops that they can take with them?
What, if you don’t mind asking are you using for VPN?
VDI desktops are NOT in scope according to the final rule as long as the client is configured to not allow processing, storage or transmission of FCI and CUI other than KVM - From the final rule Q&A:
"b. Virtual Desktop Infrastructure
Comment: Several comments requested clarification on the use of Virtual Desktop Infrastructures and how to scope its components.
Response: The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to state that an endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI and CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out of scope."
So a FIPS validated VPN and RDP would work as long as the RDP session is locked down.
They need to come into a physical machine onsite due to some old hardware that it is connected to.
I disagree, most orgs would not want people’s personal computers to be connected to the office network with VPN.
But not really. The device they are using will be in scope so can’t be BYOD or personal etc.
So then VPN and then RDC to a VDI hosted internally?
In this case though they need access to a physical machine due to OLD hardware on the machine.
Thank you for this answer. Do you have a link to somewhere that I can follow to install Guacamole with FIPS? Other option would be like nginx reverse proxy with FIPS which may or may not be doable with the open source edition. I’ve heard yes as long as your openSSL is FIPS then it will use FIPS.
I just can’t find any guide on setting up OpenSSL with FIPS.