System and Communications Protection 3.13.12 (3.13.12)

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.[29].

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to prevent collaborative computing devices (like webcams, microphones, and networked whiteboards) from being remotely activated without user knowledge, and to provide clear visual or audible indicators when these devices are actively in use. The intent is to protect against unauthorized surveillance and ensure users are aware when devices capable of capturing audio, video, or shared content are operational.

Control Intent

Prevent unauthorized remote surveillance and ensure user awareness of active collaborative computing devices to protect privacy and prevent unauthorized disclosure of CUI during meetings, discussions, or work sessions.

Who This Control Applies To

  • Networked cameras (webcams, conference room cameras, security cameras with audio)
  • Networked microphones and audio capture devices
  • Networked whiteboards and interactive displays
  • Smart displays with integrated cameras or microphones
  • IoT devices with audio/video capture capabilities in CUI environments
  • Laptops, desktops, and mobile devices with integrated cameras/microphones used to access CUI
  • Conference room systems with remote management capabilities

Not Applicable When

  • Dedicated video conferencing systems that require explicit user initiation (calling or connecting) to activate - these are explicitly excluded from this control
  • Devices without network connectivity or remote activation capabilities
  • Devices physically disconnected or disabled (camera covers, microphone mute switches that physically disconnect)
  • Standalone recording devices without remote activation features
  • Systems in environments where CUI is never present, discussed, or displayed

Key Objectives

  • 1Prevent remote activation of collaborative computing devices without explicit user action at the physical device location.
  • 2Provide clear, unambiguous indication to users physically present when collaborative computing devices are actively capturing or transmitting audio, video, or shared content.
  • 3Protect against covert surveillance or unauthorized monitoring of spaces where CUI may be discussed or displayed.

Sample Self-Assessment Questions (Partial)

Do you use laptops, desktops, or mobile devices with built-in cameras or microphones to access CUI or participate in meetings where CUI is discussed?

Do you have conference rooms or collaboration spaces with networked cameras, microphones, or smart whiteboards?

Implementation Approaches (High-Level)

Endpoint Configuration Management (GPO/MDM)

Use Group Policy, MDM profiles, or endpoint management tools to disable remote activation of cameras and microphones at the operating system level while ensuring indicator functionality remains enabled.

Firmware-Level Disablement

Disable cameras and microphones at the BIOS/UEFI firmware level for devices where these capabilities are not required for business functions.

Physical Disablement and Indicators

Use physical controls such as camera covers, microphone disconnect switches, or device removal, combined with verification of physical indicator lights.

Network Segmentation and Access Control

Isolate collaborative computing devices on restricted network segments with access controls that prevent remote activation commands from unauthorized sources.

Application-Level Controls and User Consent

Configure operating systems and applications to require explicit user consent before activating cameras or microphones, with clear on-screen indicators during use.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If remote activation cannot be immediately disabled: Document specific devices affected, implement compensating controls (physical covers, network isolation, enhanced monitoring), establish timeline for technical remediation, and provide user training on indicator awareness. If indicator functionality is unreliable: Implement physical indicators (external LED devices), deploy software-based on-screen notifications, restrict device use in CUI environments until indicators are verified, and establish testing procedures. If device inventory is incomplete: Prioritize discovery of all networked audio/video devices, implement interim physical controls (camera covers) on known devices, establish device registration process, and complete full inventory within defined timeframe. For BYOD or contractor devices: Implement visitor/contractor policies prohibiting devices with cameras/microphones in CUI spaces, provide loaner devices with compliant configurations, or require physical disablement (covers) as condition of access. If dedicated video conferencing systems are incorrectly scoped: Document technical justification for exclusion (user-initiated activation only), provide evidence of system architecture, and ensure general-purpose devices are not misclassified as dedicated systems.

Related CMMC Controls

3.4.13.4.23.4.33.4.63.1.183.10.13.10.23.2.13.2.23.3.13.3.2

Frequently Asked Questions

Does this control apply to my laptop's built-in webcam and microphone?

Yes, if the laptop is used to access CUI or is present in environments where CUI is discussed. However, the control prohibits remote activation - it does not prohibit you from using the camera/microphone when you intentionally activate it (like joining a video call). The key requirement is that the camera/microphone cannot be turned on remotely without your knowledge, and you must have a clear indicator (like an LED light) when it's active.

Are Zoom, Teams, and other video conferencing platforms excluded from this control?

It depends on the device and how it's used. Dedicated video conferencing systems (like conference room systems where someone must dial in to start the call) are excluded. However, general-purpose laptops or desktops running Zoom/Teams are NOT excluded - you must ensure these applications cannot remotely activate your camera/microphone without your explicit action, and that you have indicators when they're active. Most modern operating systems provide these controls through permission settings.

What counts as an acceptable 'indication of use' for cameras and microphones?

Acceptable indicators include hardwired LED lights that illuminate when the camera/microphone is active, on-screen notifications from the operating system, or physical indicator lights on external devices. The indicator must be reliable (cannot be disabled in software), clearly visible to users present at the device, and accurately reflect the device's active state. A camera cover or mute button is a control mechanism, not an indicator.

Can I just put a sticker or sliding cover over my webcam to comply with this control?

A camera cover is a good physical control that prevents video capture, but it doesn't fully satisfy this control on its own. The control requires both preventing remote activation AND providing indication when devices are in use. You still need to ensure the camera cannot be remotely activated (through OS settings, GPO, or firmware) and that you have a working indicator for the microphone. Camera covers are best used as a supplemental physical control.

How do I handle conference rooms with smart displays or voice assistants like Alexa?

Smart displays and voice assistants with cameras/microphones are in scope if they're in areas where CUI might be discussed. You must either: (1) remove them from CUI environments, (2) disable their remote activation and network connectivity features, (3) implement network controls to prevent remote activation, or (4) establish procedural controls (like unplugging them when discussing CUI). Simply having them present with default settings would likely be a finding.

What should I do if I can't disable remote activation on certain managed devices?

If technical limitations prevent disabling remote activation (such as required remote support tools), you should: (1) document the business justification and technical constraints, (2) implement compensating controls like enhanced monitoring, physical controls (camera covers), or restricting device use in CUI areas, (3) ensure indicators are functional and users are trained to recognize them, and (4) create a POA&M with a timeline to implement a compliant solution. This is a common scenario that assessors understand, but requires documented risk acceptance and remediation planning.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.