VPN for Government Contractors: CMMC, NIST 800-171, and Remote CUI Access

If you hold a Department of Defense contract — or are trying to win one — your cybersecurity posture is no longer just good practice. It is a contract requirement with compliance deadlines, assessment mandates, and enforcement consequences that include False Claims Act liability.

CMMC 2.0's Acquisitions Rule took effect November 10, 2025. As of that date, DoD contracting officers can condition contract awards on verified CMMC compliance. By November 2028, CMMC clauses become mandatory in all applicable DoD contracts. For any contractor handling Controlled Unclassified Information (CUI) — which includes a vast range of technical data, export-controlled information, privacy data, and operational information — this is not a future concern. It is a present one.

Remote access to systems containing CUI is one of the highest-risk areas in every CMMC and NIST 800-171 assessment. A properly configured VPN is not optional for contractors whose staff access CUI systems remotely — it is a documented requirement in the standards themselves.

What CMMC and NIST 800-171 Actually Require for Remote Access

CMMC Level 2 is built on the 110 security requirements of NIST SP 800-171 Rev. 2. These requirements are organized across 14 security domains. Remote access to CUI appears across multiple domains — it is not a single checkbox.

Access Control (AC) — Remote Access Management

NIST 800-171 Practice 3.1.12 explicitly addresses remote access: "Control and monitor the use of remote access sessions." The implementation guidance requires that remote access be established using encrypted, authenticated connections. Practice 3.1.14 adds: "Route remote access via managed access control points."

In practical terms: remote access must go through a controlled endpoint — a VPN gateway or equivalent — not directly from a contractor's home device to a CUI system. You cannot allow contractors to access CUI via uncontrolled internet connections.

System and Communications Protection (SC)

Practice 3.13.8 requires: "Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards." For any remote access scenario — VPN, RDP, SSH, web-based portals — this means FIPS-validated encryption is required for CUI in transit.

This is where many contractors have questions about WireGuard specifically. As noted in CMMC practitioner forums, WireGuard's cryptographic algorithms are not currently FIPS-validated under NIST's CMVP program. For CMMC Level 2 assessments requiring FIPS-validated cryptography for CUI, contractors typically use solutions with FIPS-validated implementations — Fortinet, Palo Alto, or OpenVPN with FIPS-validated OpenSSL modules. CyberFence uses AES-256-GCM, which is FIPS 140-2 compliant at the algorithm level; for a formal CMMC assessment, documentation of the specific cryptographic implementation and validation status should be part of your System Security Plan (SSP).

Identification and Authentication (IA)

Practice 3.5.3 requires multi-factor authentication for remote access to systems containing CUI. This applies to all accounts — privileged and non-privileged. A VPN alone is not sufficient: MFA must be enforced at the point of authentication for any remote CUI access. The VPN provides the encrypted tunnel; MFA provides the identity verification layer.

GSA Contractors: NIST 800-171 Rev. 3 Now Required

In March 2026, the GSA published an updated IT Security Procedural Guide mandating that GSA contractors implement NIST SP 800-171 Rev. 3 — making GSA among the first agencies to require the updated standard. Key changes for remote access under Rev. 3:

• All remote access must be routed through authorized and managed control points reviewed and approved by the agency
• MFA is mandatory for every user account accessing in-scope systems
• For remote access, MFA must be phishing-resistant — email OTP and SMS are prohibited
• Incident reporting window reduced to one hour

If you work with GSA or anticipate GSA contracts, Rev. 3 requirements apply now, not in a future phase.

The CMMC Timeline and What It Means for Your Contracts

Understanding the phased timeline matters because contractors who miss the windows lose the ability to bid on covered contracts:

• November 10, 2025 – November 9, 2026 (Phase 1): CMMC requirements begin appearing in select DoD solicitations. Level 1 and Level 2 self-assessments required. Contractors must submit scores to SPRS and have a senior official affirm compliance.
• November 10, 2026 (Phase 2): DoD can require C3PAO third-party assessments for Level 2 programs and DIBCAC government assessments for Level 3. Self-assessment exceptions are eliminated for most CUI contracts.
• November 10, 2027: Level 2 C3PAO requirements can be added through exercise of options in active contracts — meaning existing contracts can be updated to require CMMC.
• November 10, 2028: CMMC clauses become mandatory in all applicable DoD contracts. Full compliance required to bid, win, and continue performance.

The practical implication: if you handle CUI today under a DoD contract, your remote access controls — including VPN configuration, MFA enforcement, and cryptographic documentation — need to be in order for your next renewal or new contract bid. Contractors who wait until 2028 will face compressed timelines and assessment queues.

What "Remote Access" Means in Practice for Government Contractors

The CMMC and NIST 800-171 requirements for remote access cover every scenario where an authorized user accesses CUI from outside the contractor's controlled physical environment. This includes:

• Employees working from home offices accessing document management systems, engineering databases, or classified-adjacent contract data
• Traveling employees accessing company systems from hotel networks or airports
• Subcontractors who access prime contractor systems under flow-down compliance requirements
• Remote maintenance of systems — NIST 800-171 Practice 3.7.5 specifically addresses remote maintenance and requires encrypted sessions with MFA
• Access to cloud services that host CUI — CSPs hosting CUI must have FedRAMP Moderate authorization or meet equivalent requirements

The subcontractor flow-down requirement is often overlooked. CMMC applies throughout the supply chain — prime contractors must ensure that subcontractors handling CUI are also compliant. If a subcontractor's remote access to your systems uses an uncontrolled connection, that is a finding against your CMMC assessment, not just theirs.

What to Document in Your System Security Plan

Every CMMC assessment requires a System Security Plan (SSP) that documents how you implement each required practice. For remote access and VPN specifically, assessors will look for:

• Remote access policy — written policy requiring all CUI remote access to use encrypted, authenticated connections through managed control points
• VPN configuration documentation — the specific VPN solution, cryptographic parameters (encryption algorithm, key exchange, cipher suite), and FIPS validation status
• MFA enforcement evidence — documentation and logs showing MFA is required for all remote access accounts, with phishing-resistant methods for GSA contracts
• Access control list — who is authorized for remote access, to which systems, and under what conditions
• Session monitoring — evidence that remote access sessions are logged and monitored as required by Practice 3.1.12
• Incident response procedures — how a compromised remote credential or endpoint is detected and responded to within the reporting timeframe

Assessors examine all of these. Gaps in documentation are as significant as gaps in implementation — a VPN that is properly configured but not documented in the SSP does not satisfy the assessment requirement.

US-Operated VPN Infrastructure: Why It Matters for Government Contractors

CyberFence is headquartered and operated entirely within the United States, in Orlando, FL. This is relevant for government contractors for several reasons:

First, vendor risk assessments for CMMC frequently examine where security tool vendors are headquartered and operated. A VPN provider operated from a foreign jurisdiction — even one marketing "US servers" — introduces questions about whether the provider is subject to foreign intelligence laws that could compel disclosure of connection logs or metadata. A US-operated, zero-logs provider eliminates that question.

Second, NIST 800-171 Practice 3.13.10 requires employment of FIPS-validated cryptography to protect CUI. While this applies to the encryption implementation rather than the provider's location, US-based providers operating under US law and subject to US export control requirements have a cleaner compliance posture in vendor assessments.

Third, supply chain risk management is increasingly scrutinized under CMMC. Assessors may request information about critical software providers' country of origin and security practices. A US-operated VPN provider is straightforward to document and defend.

CyberFence for Government Contractor Use Cases

CyberFence provides:

• AES-256-GCM encryption for all connections — FIPS 197 compliant algorithm for data in transit
• Zero-logs architecture — no connection logs, no browsing records, no timestamps stored. If subpoenaed or audited, there is nothing to produce.
• Kill switch — cuts all traffic if the VPN tunnel drops, preventing any unencrypted CUI transmission during reconnection windows
• Web Shield DNS filtering — blocks known malicious domains, phishing sites, and ad trackers at the DNS level before connections are established. Relevant for contractor devices where an employee might inadvertently access a malicious site while conducting CUI work
• US-operated infrastructure — Orlando, FL headquarters, US-operated servers, subject to US law and data handling requirements

For contractors building out their CMMC technical controls, CyberFence addresses the transport encryption and DNS protection layers. The full compliance stack requires layered controls: endpoint protection for device security, MFA for identity verification, audit logging for accountability, and role-based access controls for least-privilege enforcement — all documented in the SSP.

The Practical Next Steps

If you are a government contractor preparing for CMMC assessment or maintaining compliance under existing DFARS requirements:

1. Identify your CUI scope — document every system, endpoint, and cloud service that processes, stores, or transmits CUI. Remote access controls must cover all of them.
2. Audit your current remote access configuration — verify that all remote connections to CUI systems use encrypted, authenticated tunnels. Test for DNS leaks and ensure kill switch functionality is active.
3. Document cryptographic parameters — your SSP must identify the encryption algorithm, key length, and FIPS validation status for your VPN implementation.
4. Enforce MFA on all remote accounts — this is a non-negotiable CMMC requirement. Implement phishing-resistant MFA if you work with GSA or anticipate Rev. 3 requirements.
5. Address subcontractor flow-down — verify that subcontractors with access to your CUI systems are operating equivalent remote access controls.
6. Schedule a gap assessment — if you have not completed a formal gap assessment against NIST 800-171 requirements, do so before your first assessment window.