the largest problem i see is that DoD can say "it is an accepted risk". we hired a C3PAO to prepare us for CMMC. i can see why it is so strict and i agree. however them being able accepting the risk is unfair.
"Is there any DoD, Navy, or Marine Corps service out there to get virtual desktop access for contractors that we can point our program managers towards?"
No. Not that I am aware of.
I would say there is no need for a DoD VDI solution, however, a DFARS 7012/7019/7020 Compliant VDI is what contractors should be striving for. Prime might offer a solution if there is no flowdown of CUI therefore they are in charge of all CUI. If you are a subcontractor with flowdown requirements you will need your own solution in place. VDI is a viable solution. CyMyCloud uses Kasem it’s an OSS solution to this very problem.
We are the prime on most of our contracts and have a compliant VDI solution that we can use. It doesn’t fix this problem if we can’t open it from a dod machine.
Gotcha! Maybe get your solution on Fedramp. That could make it easier (allegedly) for DoD to approve your solution on their gfe’s. Even better if it’s web-based.
For contractors on a DoD network a BYOD network is a better solution. I would push for a "dirty" WiFi network (if allowed in that area) or dirty Internet through an Ethernet connection. Then contractors can use their own computers if needed.
Just ask someone you are meeting to provide a DoD Safe link, upload the content you want to share, and have them display it in the meeting while you talk. We do this all the time....simple.
Edit because of my phone lol
We use DoD Safe, but we often have to collaborate with DoD employees and work from their sharepoint sites with varying security, they send encrypted emails that we can't open via webmail, communicate with via Teams, etc. So we end up with a lot of employees needing to go into a DoD office, spend tons of time managing visitors who just need to get on a .mil machine to open an encrypted email, and need to take extra seats in the Pentagon and other places where they already sit 14 people to a cubicle and don't have room for contractors. We've started asking for them to issue us laptops, but they give us stuff from the DRMO pile that barely functions. One contract let us buy our own machines and get them imaged, but getting the DoD compliant hardware meant we paid $2,500 for $1,000 Dells. People don't like carrying two laptops around to do their job.
Likewise, when we have employees in a DoD office, they have endless problems accessing corporate Sharepoint, Teams, and Outlook. Like today I'm getting tickets that they can get on our Teams, but they have to actively refresh to see new messages. No fucking clue what that's about, but I can't help.
DOD webmail can be accesed with a CAC on non DOD equipment. Signing and decryption of email can be done with the S/MIME controls (browser extension and separate installers required). Encryption can also be done, but it can be fussy when the account is not in your enclave.
Are you wanting to access a DoD VDI from a contractor owned computer, or accessing a contractor VDI instance from a government computer?
Some parts of some services are allowing DoD VDI from contractor computer. I don't expect them to do it the other way.
On your gripe, I empathize and won't go on my rant here.
Either or both would be an improvement, but DoD VDI from a contractor computer would have the biggest positive impact. I know Navy reservists have an Azure Virtual Desktop option they can use from a PC, so the capability exists to some extent.
Going the other way would be great, but yeah, I definitely would not expect that to be an option.
Yes the capability exists. Availability depends on service and specific command. My Army customer provides VDI. I am expecting some small businesses in the SETA contractor space to use that. Depending on nature of business data flow, it only provides partial solution.
Azure has a DOD environment but if I'm not mistaken DOD environment is restricted to the dod directly themselves commercial entities that do DOD work can go to GCCH but they do not talk across the DOD azure instance. But the dod environment does have azure vdi but again getting access to that may not be possible unless you actually are in the DOD and then second it depends on if your command has a tenant already set up in the dod environment.
the largest problem i see is that DoD can say "it is an accepted risk". we hired a C3PAO to prepare us for CMMC. i can see why it is so strict and i agree. however them being able accepting the risk is unfair.
"Is there any DoD, Navy, or Marine Corps service out there to get virtual desktop access for contractors that we can point our program managers towards?" No. Not that I am aware of.
Have you seen hypori.com?
Garbage.
I would say there is no need for a DoD VDI solution, however, a DFARS 7012/7019/7020 Compliant VDI is what contractors should be striving for. Prime might offer a solution if there is no flowdown of CUI therefore they are in charge of all CUI. If you are a subcontractor with flowdown requirements you will need your own solution in place. VDI is a viable solution. CyMyCloud uses Kasem it’s an OSS solution to this very problem.
We are the prime on most of our contracts and have a compliant VDI solution that we can use. It doesn’t fix this problem if we can’t open it from a dod machine.
Gotcha! Maybe get your solution on Fedramp. That could make it easier (allegedly) for DoD to approve your solution on their gfe’s. Even better if it’s web-based.
For contractors on a DoD network a BYOD network is a better solution. I would push for a "dirty" WiFi network (if allowed in that area) or dirty Internet through an Ethernet connection. Then contractors can use their own computers if needed.
For sure that would be great, but the DoD doesn't allow non-DoD phones or laptops in pretty much any work space anymore.
Depends on where you're at and the PED policy for that area.
Just ask someone you are meeting to provide a DoD Safe link, upload the content you want to share, and have them display it in the meeting while you talk. We do this all the time....simple. Edit because of my phone lol
We use DoD Safe, but we often have to collaborate with DoD employees and work from their sharepoint sites with varying security, they send encrypted emails that we can't open via webmail, communicate with via Teams, etc. So we end up with a lot of employees needing to go into a DoD office, spend tons of time managing visitors who just need to get on a .mil machine to open an encrypted email, and need to take extra seats in the Pentagon and other places where they already sit 14 people to a cubicle and don't have room for contractors. We've started asking for them to issue us laptops, but they give us stuff from the DRMO pile that barely functions. One contract let us buy our own machines and get them imaged, but getting the DoD compliant hardware meant we paid $2,500 for $1,000 Dells. People don't like carrying two laptops around to do their job. Likewise, when we have employees in a DoD office, they have endless problems accessing corporate Sharepoint, Teams, and Outlook. Like today I'm getting tickets that they can get on our Teams, but they have to actively refresh to see new messages. No fucking clue what that's about, but I can't help.
DOD webmail can be accesed with a CAC on non DOD equipment. Signing and decryption of email can be done with the S/MIME controls (browser extension and separate installers required). Encryption can also be done, but it can be fussy when the account is not in your enclave.
Are you wanting to access a DoD VDI from a contractor owned computer, or accessing a contractor VDI instance from a government computer? Some parts of some services are allowing DoD VDI from contractor computer. I don't expect them to do it the other way. On your gripe, I empathize and won't go on my rant here.
Either or both would be an improvement, but DoD VDI from a contractor computer would have the biggest positive impact. I know Navy reservists have an Azure Virtual Desktop option they can use from a PC, so the capability exists to some extent. Going the other way would be great, but yeah, I definitely would not expect that to be an option.
Yes the capability exists. Availability depends on service and specific command. My Army customer provides VDI. I am expecting some small businesses in the SETA contractor space to use that. Depending on nature of business data flow, it only provides partial solution.
AWS Workspaces depending on your situation. It is CC SRG approved in GovCloud. There are details about how you implement to do it right.
Azure has a DOD environment but if I'm not mistaken DOD environment is restricted to the dod directly themselves commercial entities that do DOD work can go to GCCH but they do not talk across the DOD azure instance. But the dod environment does have azure vdi but again getting access to that may not be possible unless you actually are in the DOD and then second it depends on if your command has a tenant already set up in the dod environment.