How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.12

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.12 – Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

Understanding the Requirement

This control requires that collaborative computing devices — such as networked whiteboards, cameras, and microphones — cannot be turned on or activated remotely without a clear, local indication to people at the device that it is in use. The organization must be able to identify these devices, ensure they provide an obvious signal (for example an indicator light or persistent on‑screen notice) when active, and implement measures to block remote activation. Dedicated conferencing systems that only start when a participant directly connects are excluded; the focus is on devices that could be activated without occupants’ awareness.

Technical Implementation

• Inventory and labeling: Create a simple asset inventory listing every collaborative device (model, firmware, IP/MAC, physical location). Label devices visibly (room name + asset tag) so users and auditors can identify them quickly.
• Enable and enforce local indicators: Where possible, configure device firmware or settings so an LED, bezel light, or on‑screen banner turns on whenever the device’s camera, microphone, or whiteboard is active. If a device lacks an electronic indicator, add a physical sign or tamper‑resistant cover that makes activation visible.
• Block remote activation paths: Disable remote management or wake features that could turn on sensors (for example, Wake-on‑LAN for cameras, or remote audio recording in RDP). Use access control lists and firewall rules to restrict management ports to a small set of admin IPs or VPNs only.
• Network segmentation and ACLs: Put collaborative devices on a segregated VLAN with strict outbound/inbound rules. Only allow management traffic from a secured admin network, and prevent general user networks from accessing device control APIs.
• Administrative controls and change management: Require administrative authentication for any configuration changes that affect activation behavior. Log management sessions and changes, and include device activation settings in routine change reviews.
• Physical mitigations and signage: For rooms used intermittently, provide simple manual controls: physical camera covers, microphone mute switches, door signs indicating “Device in Use,” and lockable doors where confidentiality is required.

Example in a Small or Medium Business

Acme Engineering has a single collaboration room with a networked whiteboard, ceiling microphones, and a fixed camera. They start by adding these devices to their asset register with room location and serial numbers, then place visible asset tags on each device. The IT team updates each device to the latest firmware and enables the built‑in status LED and an on‑screen “in use” banner for the whiteboard. For the camera and microphones, they disable remote wake features and restrict management access to a VPN subnet used only by admins. They move all collaborative devices to a separate VLAN and create firewall rules that block management ports from the user LAN. When firmware or configuration changes are required, the team follows a documented change control process and records who made the change. Finally, they add a printed sign on the door that staff must flip to “In Use” when running sensitive sessions and train employees to check the LED and door sign before entering; periodic checks confirm settings remain effective.

Summary

Combining a clear device inventory and policy with straightforward technical and physical controls satisfies this requirement: inventories and labeling ensure devices are identified, indicator lights and banners make use visible to occupants, and disabling remote activation plus network segmentation and administrative controls prevent unnoticed or unauthorized activation. For SMBs, these measures are practical, low‑cost, and effective when paired with simple processes—change control, logging, and user training—to keep protections in place. Engage your security lead and system/network admins to implement and sustain these controls.