CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP authorized components. Most widely deployed enterprise VPN in the defense sector. Essential for NIST 800-171 3.1.12 remote access and 3.13.x communications protection.
Cisco AnyConnect / Secure Client
by Cisco
FedRAMP Status
FedRAMP Authorized
Impact Level
Moderate
Category
VPN & Network Security
Overview
Cisco AnyConnect (now Cisco Secure Client) is the most widely deployed enterprise VPN in the defense sector. It provides secure remote access with MFA, endpoint posture analysis, and always-on VPN capabilities. Essential for NIST 800-171 remote access controls (3.1.12) and communications protection (3.13.x).
CUI Risk Assessment
FedRAMP authorized components. Most widely deployed enterprise VPN in the defense sector. Essential for NIST 800-171 3.1.12 remote access and 3.13.x communications protection.
Using Cisco AnyConnect / Secure Client in a Defense Contractor Environment
Cisco AnyConnect/Secure Client serves as the primary remote access gateway for defense contractors handling CUI including technical data packages (TDP), engineering drawings, financial performance reports, and personally identifiable information (PII) of cleared personnel. Within CMMC Level 2 authorization boundaries, AnyConnect typically sits at the network perimeter as the primary entry point for remote workers accessing CUI systems, making it a critical security control point. The solution's FedRAMP Moderate authorization provides strong foundation for CUI protection, but contractors must implement compensating controls including: mandatory certificate-based authentication, endpoint compliance checking via AMP for Endpoints integration, and session recording for privileged access. DCMA/DIBCAC assessors focus heavily on AnyConnect's configuration during CMMC assessments, specifically examining: split-tunneling restrictions to prevent CUI data leakage, integration with contractor's identity provider for centralized access control, and logging capabilities to support incident response requirements. Recent DCMA compliance reviews have flagged contractors using consumer-grade VPN solutions or improperly configured AnyConnect deployments that allow split-tunneling, emphasizing the critical importance of enterprise-grade VPN solutions. AnyConnect's widespread deployment across defense contractors (estimated 70%+ adoption rate) makes it a well-understood solution for assessors, but contractors must demonstrate proper integration with their broader security architecture including SIEM integration and endpoint detection platforms.
Deployment & Architecture
Deployment Model: Hybrid (cloud + on-prem)
Cisco AnyConnect / Secure Client operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
Defense contractors implementing Cisco AnyConnect for CUI environments should plan an 8-12 week deployment timeline across three phases. Phase 1 (weeks 1-4): Infrastructure preparation including Adaptive Security Appliance (ASA) or Firepower deployment, certificate authority integration, and Active Directory connector configuration. Contractors must ensure CUI data remains within authorized boundaries during testing by creating isolated test environments that mirror production CUI handling requirements. Phase 2 (weeks 5-8): User provisioning with mandatory security awareness training focused on split-tunneling restrictions and acceptable use policies for CUI access. All users requiring CUI access must complete contractor-specific training on remote access procedures and sign updated non-disclosure agreements reflecting DFARS 252.204-7012 requirements. Phase 3 (weeks 9-12): Production rollout with gradual user migration and compliance documentation updates. Required documentation updates include: System Security Plan modifications to reflect new network architecture, authorization boundary diagram updates showing AnyConnect as a boundary protection mechanism, and POA&M entries for any interim security measures. Implementation costs typically range $75,000-$150,000 for mid-size contractors (500-2000 users) including licensing, professional services, and infrastructure upgrades. Enterprise contractors may require $200,000-$500,000 investments for redundant infrastructure and advanced threat protection integration.
Configuration Checklist
- 1ISSO must update the System Security Plan to include AnyConnect within the authorization boundary as a boundary protection system per NIST 800-171 3.13.1.
- 2System administrator shall configure AnyConnect to disable split-tunneling for all CUI-accessing users to ensure NIST 800-171 3.13.2 compliance.
- 3ISSO must integrate AnyConnect with the organization's certificate authority to enforce multi-factor authentication per NIST 800-171 3.5.3.
- 4System administrator shall configure endpoint posture assessment to verify antivirus and patch compliance before VPN access per NIST 800-171 3.14.1.
- 5ISSO must configure AnyConnect logging to capture all connection events and forward to the organizational SIEM per NIST 800-171 3.3.1.
- 6System administrator shall implement geofencing restrictions to block connections from prohibited countries per DFARS 252.204-7012.
- 7ISSO must create POA&M entries for any legacy VPN solutions being replaced with target remediation dates.
- 8Contracts officer must verify AnyConnect licensing includes required security modules for CUI protection before contract execution.
- 9System administrator shall configure AnyConnect integration with mobile device management (MDM) for BYOD policy enforcement per NIST 800-171 3.1.18.
- 10ISSO must conduct tabletop exercises testing incident response procedures for compromised VPN credentials per NIST 800-171 3.6.1.
Compliance Cross-References
Cisco AnyConnect's FedRAMP authorization directly supports multiple NIST 800-171 control families critical for CUI protection. The solution primarily addresses Access Control (AC) requirements through its identity integration and session management, specifically supporting AC.3.1.1 (authorized access enforcement) and AC.3.1.2 (transaction and function controls). System and Communications Protection (SC) controls are extensively covered, particularly SC.3.13.1 (boundary protection) and SC.3.13.8 (transmission confidentiality). AnyConnect's audit capabilities support the Audit and Accountability (AU) family, specifically AU.3.3.1 (audit record creation) and AU.3.3.2 (audit review and analysis). Under DFARS 252.204-7012, AnyConnect serves as a critical safeguarding measure for CUI during transmission, while DFARS 252.204-7021 requirements for cybersecurity incident reporting are supported through its logging and monitoring capabilities. For CMMC Level 2 assessments, AnyConnect impacts the Access Control, System and Communications Protection, and Audit and Accountability domains, with assessors evaluating configuration management and boundary protection implementation. Non-compliance or misconfiguration creates cascading findings across these control families, particularly if split-tunneling allows CUI exfiltration outside the authorization boundary.
Other FedRAMP Authorized VPN & Network Security Tools
Related Compliance Assessments
Frequently Asked Questions
Is Cisco AnyConnect required for CMMC?
A VPN or zero-trust remote access solution is required by NIST 800-171 3.1.12. Cisco AnyConnect is the most common choice in the defense sector but Palo Alto GlobalProtect and Zscaler are also compliant alternatives.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Cisco AnyConnect / Secure Client compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days