u/B_Another1

Hello,

If a VDI environment is configured to prevent copy/paste, file transfers, local storage, and printing of CUI, would the endpoint itself need to have screenshot capability disabled as well in order to remain considered “out of scope”?

I understand screenshots could potentially create a local copy of displayed CUI, but I am trying to better understand whether disabling screenshots is generally considered expected or required from a compliance and scoping perspective.

Hello, trying to get guidance and clarification to see what is allowable under the CMMC.

If an agency or external party sends an email containing CUI to an unauthorized system (e.g., Microsoft 365 Commercial instead of a designated CUI email), what is the appropriate handling procedure?

In our email signatures, we state that any CUI must be sent to our designated CUI email. Despite this, some still send CUI to the non-CUI systems.

My question: is it okay to forward that email ourselves as a method of containment to our CUI email or would forwarding itself be considered an additional unauthorized transmission?