Partial CUI Compliance
1 NIST 800-171 gaps detected. Some components FedRAMP authorized. Popular UEM for larger contractors. Can integrate with Intune as a compliance partner.
VMware Workspace ONE
by Broadcom
FedRAMP Status
FedRAMP In Process
Impact Level
N/A
Category
Endpoint Management
Overview
VMware Workspace ONE (now Broadcom) is a unified endpoint management platform used by larger defense contractors for device management, application delivery, and zero-trust access. Some components are pursuing FedRAMP authorization.
CUI Risk Assessment
Some components FedRAMP authorized. Popular UEM for larger contractors. Can integrate with Intune as a compliance partner.
Using VMware Workspace ONE in a Defense Contractor Environment
VMware Workspace ONE (now under Broadcom ownership) presents a complex compliance scenario for defense contractors handling CUI. This unified endpoint management (UEM) platform typically processes technical specifications, engineering drawings, proprietary manufacturing data, and employee PII in DoD environments. Within a CMMC Level 2 authorization boundary, Workspace ONE often serves as the central control point for device compliance, application delivery, and conditional access policies. However, its hybrid architecture creates boundary challenges - the cloud-based management console may reside outside the authorization boundary while managed endpoints contain CUI. Compensating controls include network segmentation, encrypted communications (TLS 1.2+), and strict data loss prevention policies. DCMA assessors scrutinize Workspace ONE deployments for proper boundary definition, particularly around cloud components and third-party integrations. The platform's violation of NIST 800-171 control 3.13.8 (session lock) has been flagged in recent DIBCAC reviews, where assessors found inadequate session timeout configurations allowing prolonged unattended access to CUI. Contractors must implement custom session policies and may need to disable certain cloud features to achieve compliance. The recent Broadcom acquisition has created additional uncertainty around FedRAMP timelines and support for government customers.
Deployment & Architecture
Deployment Model: Hybrid (cloud + on-prem)
VMware Workspace ONE is pursuing FedRAMP authorization. Until authorized, this tool should not be used for CUI processing in production. Defense contractors should plan migration timelines and identify compensating controls.
Migration Guidance
Defense contractors using VMware Workspace ONE face a 6-9 month remediation timeline to address NIST 800-171 control 3.13.8 violations. Phase 1 (Weeks 1-4) involves conducting a complete inventory of Workspace ONE components within the authorization boundary and identifying CUI data flows. Phase 2 (Weeks 5-12) requires implementing custom session timeout policies, disabling non-compliant cloud features, and establishing proper network segmentation. Phase 3 (Weeks 13-20) focuses on migrating CUI-handling endpoints to compliant alternatives like Microsoft Intune (which has FedRAMP Moderate authorization) or Tanium (popular in classified environments). Data export requires careful handling of device configurations, compliance policies, and application catalogs while ensuring CUI remains encrypted throughout the process. User training spans 2-3 weeks covering new authentication workflows and device enrollment procedures. Compliance documentation updates include revising the SSP Section 10 (system environment), updating authorization boundary diagrams to reflect new UEM architecture, and creating POA&M entries for any residual risks. Configuration costs range from $50,000-$150,000 for policy remediation, while full migration to alternatives costs $200,000-$500,000 depending on endpoint count and integration complexity.
Migration Checklist
- 1ISSO must conduct immediate assessment of all Workspace ONE components within the authorization boundary and document CUI data flows in SSP Section 13.1.
- 2Sysadmin shall configure custom session timeout policies to enforce automatic lock after 15 minutes of inactivity per NIST 800-171 3.13.8 requirements.
- 3ISSO must disable all cloud-based analytics and reporting features that transmit device data outside the authorization boundary.
- 4Sysadmin shall implement network segmentation between Workspace ONE management servers and CUI-handling endpoints using VLANs or microsegmentation.
- 5ISSO must update authorization boundary diagram to clearly delineate on-premises Workspace ONE components from cloud services.
- 6Sysadmin shall configure TLS 1.2+ encryption for all Workspace ONE communications and disable legacy protocols.
- 7ISSO must create POA&M entry tracking session lock compliance with 90-day remediation timeline per DFARS 252.204-7012.
- 8Contracts officer shall evaluate migration to FedRAMP Moderate alternatives like Microsoft Intune within 6 months if remediation fails.
- 9Sysadmin must implement compensating controls including DLP policies and endpoint encryption for all managed devices.
- 10ISSO shall conduct monthly compliance testing of session timeout functionality and document results in continuous monitoring reports.
Compliance Cross-References
VMware Workspace ONE's non-compliance primarily impacts NIST 800-171 control family AC (Access Control), specifically AC-11 (Session Lock) mapped to control 3.13.8. The platform's hybrid architecture also affects SC (System and Communications Protection) controls around boundary protection and transmission confidentiality. This triggers DFARS clause 252.204-7012 requiring contractors to implement NIST 800-171 controls within one year of contract award. Under CMMC Level 2, this tool impacts the Access Control (AC) and System and Information Integrity (SI) assessment domains, where assessors verify session management and boundary controls. The violation cascades to CMMC practice AC.L2-3.1.10 (device lock) and AC.L2-3.1.11 (session termination). FedRAMP requirements become relevant if contractors choose cloud-hosted alternatives - any replacement UEM must have FedRAMP Moderate authorization or higher to handle CUI. The compliance gap also affects audit requirements under AU controls, as session activities may not be properly logged during extended unlocked sessions.
NIST 800-171 Violations
Using VMware Workspace ONE for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
VMware Workspace ONE has 1 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Related Compliance Assessments
Frequently Asked Questions
Is Workspace ONE suitable for CMMC compliance?
Workspace ONE provides strong device management but FedRAMP authorization status varies by component. Document your configuration in your SSP and consider Intune GCC High as a fully authorized alternative.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack VMware Workspace ONE compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days