I have a question related to CMMC requirements for employees that work remotely; specifically with regard to home networking and/or firewall equipment.
I have been getting some mixed advice regarding what is necessary to secure home office networking, and I would appreciate any advice particularly if you have already passed a C3APO audit where this topic was discussed.
Assuming that we have all the obvious endpoint security requirements in place (MFA, EDR/MDR, data at rest encryption, encrypted communications, etc.) is there a requirement to also ensure that your home office network gear and/or firewall meet the typical CMMC requirements that a corporate office would be subject to (supported hardware, firmware updates, firewall rules, logging, etc.)… or perhaps a minimal subset of those requirements? Or, can your home office be considered just another potentially hostile remote location (like a local coffee shop) and ALL the focus should really be on the PC endpoint security and monitoring controls?