3.13.12 — Control Cameras and Mics
What It Says
Section titled “What It Says”Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
What It Actually Means
Section titled “What It Actually Means”Two requirements in one:
-
Prohibit remote activation — nobody can remotely turn on a camera or microphone without someone physically present initiating it. Disable remote activation features on conference room systems, IP phones, and collaboration devices.
-
Provide indication — when a camera or microphone IS active, people in the room must know. A camera light that turns on, an indicator on the phone display, an LED on the conference device.
This prevents remote surveillance of conversations that might include CUI discussions. The assessor may walk into a conference room and ask about the devices.
For most modern devices (laptops, conference systems), hardware indicator lights are built in. The risk is older conference room systems or IP phones that can be remotely activated without indication.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is remote activation of collaborative computing devices prohibited? | Conference devices configured to prevent remote activation of cameras/mics |
| 2 | Is there visible indication when devices are in use? | Camera lights, display indicators functional on all devices |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; system configuration settings for collaborative devices; system design documentation
People they’ll talk to: System or network administrators; personnel with information security responsibilities
Live demos they’ll ask for: Attempt remote activation of conference devices; verify indicator lights function
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Walk me through your conference room equipment. Can any cameras be remotely activated?”
- “Show me the indicator light on this device — does it work when the camera is on?”
- “Do your IP phones have listen-in capability? Is it disabled?”
- “How are conference room devices configured — can an admin turn on the camera remotely?”
- “Are laptop webcam indicator lights functioning across your fleet?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Conference devices with remote activation enabled. Default settings on many conference systems allow remote monitoring. Disable it in the admin console.
No indicator lights. Older devices without camera indicator lights. Replace them or add physical camera covers.
IP phone monitoring. Cisco phones with ‘monitoring/recording’ capability enabled. Disable it.
Smart speakers in CUI areas. Alexa, Google Home, or similar devices in offices where CUI is discussed. Remove them from CUI areas.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.10.1 — Lock the Doors | Physical security of the rooms where these devices operate |
| 3.1.3 — Where CUI Can Flow | Audio/video surveillance could capture CUI data flow |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: SC.L2-3.13.12 | SPRS Weight: 1 point | POA&M Eligible: Yes