The Director of Communications for a defense agency showed me the aftermath of a security incident that nearly compromised a classified operation. Their video conferencing system—marketed as “military-grade secure”—had routed classified discussion content through commercial cloud infrastructure in three foreign countries before anyone realized the architecture flaw.
No data was confirmed stolen. But the potential exposure was catastrophic. Operational plans. Intelligence sources and methods. Partner nation information. Coalition troop movements. All potentially compromised because the “secure” platform’s AI transcription feature sent audio to the vendor’s commercial cloud for processing.
The vendor’s marketing claimed military-grade encryption and security. The fine print revealed the platform was designed for commercial use with security features added later—not architected from the ground up for defense requirements.
The incident triggered a comprehensive security review. Investigators discovered:
- Video streams encrypted in transit, but vendor held decryption keys
- Meeting metadata (who met with whom, when, how often) stored on commercial servers
- AI features required external cloud processing
- Platform couldn’t operate in air-gapped SCIF environments
- No cross-domain solution capability
- Insufficient audit logging for intelligence oversight
- Architecture fundamentally incompatible with defense security requirements
The agency’s classification officer put it bluntly: “We tried to use a commercial platform for defense purposes. That’s like trying to use a civilian car for armored transport. It might have seatbelts and airbags, but it’s not built to stop bullets.”
This scenario plays out repeatedly across defense agencies and contractors. Organizations select video conferencing based on commercial market success, assuming security features will scale to defense requirements. They discover—sometimes after security incidents—that defense communications require fundamentally different architecture, not just stronger encryption on commercial platforms.
This guide provides defense agencies and contractors with comprehensive understanding of truly secure video conferencing requirements. You’ll learn what defense-grade security actually means, how classification levels determine technical requirements, why SCIF environments demand specialized solutions, how to implement cross-domain communications, and how contractors achieve CMMC compliance.
Whether you’re a defense agency implementing classified communications, a contractor needing CMMC compliance, or a program office evaluating secure video solutions—this guide gives you the knowledge defense communications actually require.
Let’s start with understanding what defense-grade security really means.
Defense-Grade Security Requirements
“Military-grade” and “defense-grade” are marketing terms vendors use liberally. Actual defense security requirements are specific, measurable, and dramatically different from commercial standards.
What Defense-Grade Actually Means
Defense-grade security isn’t about having “strong encryption” or “advanced security features.” It’s about meeting specific standards developed for protecting national security information.
National Security Systems (NSS) requirements:
- Protection of classified national security information
- Cryptography approved by NSA for classified use
- Architecture enabling air-gapped operation
- Cross-domain solution capability
- Intelligence oversight and audit requirements
- Coalition information sharing controls
- Counter-intelligence and operations security
- Survivability under adversary conditions
The Commercial-Defense Security Gap
| Security Aspect | Commercial “Enterprise Security” | Defense-Grade Security |
| Threat Model | Cybercriminals, hacktivists, competitors | Nation-state adversaries, intelligence services, APT groups |
| Encryption | Commercial algorithms (AES, RSA) | NSA Suite B, Type 1 encryption for classified |
| Key Management | Vendor or enterprise PKI | NSA-approved key management, Type 1 for classified |
| Architecture | Cloud-optimized, internet-connected | Air-gap capable, cross-domain ready |
| Audit Requirements | Compliance logging | Intelligence oversight, full forensics |
| Data Sovereignty | Regional compliance | National security jurisdiction exclusively |
| Vendor Access | Support access common | Zero vendor access to classified systems |
| Certification | ISO, SOC 2, FedRAMP | NSA CCEVS, DISA SRG, ATO for classified systems |
| Operational Environment | Standard facilities | SCIF, secure facilities, denied areas |
NSA Commercial Solutions for Classified (CSfC)
NSA’s Commercial Solutions for Classified (CSfC) program enables use of commercial products to protect classified National Security Information when properly configured and implemented.
CSfC capabilities relevant to video conferencing:
Data-in-Transit protection (encrypting video streams)
Data-at-Rest protection (encrypting recordings)
Mobility (secure video from mobile devices)
Critical understanding: CSfC provides component-level certification. You must architect complete solution properly—simply using CSfC-certified components doesn’t automatically create secure system.
CSfC requirements for video conferencing:
Layered encryption (multiple independent encryption layers)
NSA-approved cryptography
Proper key management
Tested and validated configurations
Documented architecture
Regular re-certification
Defense Information Systems Agency (DISA) Security Requirements
DISA establishes security requirements for DoD information systems through Security Requirements Guides (SRGs).
DISA requirements for video conferencing:
Security Technical Implementation Guides (STIGs) compliance
Authority to Operate (ATO) on DoD networks
Common Access Card (CAC) authentication
DoD PKI certificate integration
Security categorization and accreditation
Continuous monitoring and assessment
The Air-Gap Requirement
Many defense communications must occur in air-gapped environments with zero external connectivity.
Air-gap scenarios:
SCIF environments processing classified information
Intelligence operations centers
Command and control facilities
Tactical deployments in denied areas
Continuity of operations facilities
Coalition partner facilities with limited connectivity
Commercial cloud platforms fundamentally cannot operate air-gapped. They require internet connectivity for authentication, feature delivery, updates, and core functionality.
Defense-grade platforms must function completely independently:
All processing occurs within secure boundary
No external authentication dependencies
No external feature or service dependencies
Updates deliverable via secure channels
Autonomous operation indefinitely
Real-World Defense Security Incident
A defense contractor used commercial video conferencing for program discussions involving technical data subject to International Traffic in Arms Regulations (ITAR). The platform’s cloud architecture meant meeting recordings stored on servers in foreign countries—an ITAR violation.
The investigation revealed:
Meeting data replicated to data centers in three foreign countries
Contractor had no visibility into replication
Vendor’s terms of service authorized international data storage
Recordings accessible to vendor employees in multiple countries
ITAR violation potentially affecting multiple defense programs
Penalties:
$500,000 fine for ITAR violations
Suspension from defense contracting during investigation
Mandatory security program overhaul
Loss of several contracts due to security concerns
Reputation damage affecting business development
The lesson: Commercial platforms designed for global cloud optimization fundamentally conflict with defense security requirements. You cannot retrofit defense-grade security onto commercial cloud architecture.
Classification Levels and Secure Video Conferencing
Different classification levels require different video conferencing solutions. Understanding which solution matches your classification needs is critical.
Classification Levels and Technical Requirements
UNCLASSIFIED
Information that doesn’t require protection under national security interests.
Video conferencing requirements:
- Commercial platforms acceptable if FISMA compliant
- Standard encryption (TLS, AES-256)
- Normal authentication (CAC/PIV)
- Regular federal information security controls
- NIST 800-53 Moderate baseline typically sufficient
CONTROLLED UNCLASSIFIED INFORMATION (CUI)
Unclassified information requiring safeguarding or dissemination controls per federal law, regulation, or government policy.
Video conferencing requirements:
- NIST SP 800-171 compliance
- CMMC Level 2+ for contractors
- Enhanced encryption and key management
- Access controls and audit logging
- Proper data handling and storage controls
- Must remain within U.S. jurisdiction
CONFIDENTIAL
Lowest level of classified information. Unauthorized disclosure could reasonably be expected to cause damage to national security.
Video conferencing requirements:
- NSA-approved encryption for classified systems
- SCIF or approved secure facility
- Cross-domain solution for unclassified connectivity
- Type 1 encryption products (NSA certified)
- Strict physical and technical access controls
- Comprehensive audit and accountability
- Intelligence oversight compliance
SECRET
Classified information where unauthorized disclosure could reasonably be expected to cause serious damage to national security.
Video conferencing requirements:
- All CONFIDENTIAL requirements plus:
- Enhanced physical security measures
- More stringent personnel security requirements
- Dedicated classified infrastructure
- Sophisticated counter-intelligence measures
- Regular security audits and inspections
- Tactical COMSEC when deployed
TOP SECRET
Highest classification level. Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.
Video conferencing requirements:
- All SECRET requirements plus:
- Maximum physical and technical security
- Special Access Program (SAP) considerations
- Enhanced TEMPEST and EMSEC protections
- Sophisticated counter-surveillance
- Highest level personnel security clearances
- Compartmented information handling
- Read-in requirements for participants
Special Access Programs (SAP) and Sensitive Compartmented Information (SCI)
Beyond basic classification levels, some information requires additional protections.
SAP requirements add:
Formal access approval process
Need-to-know verification
Special security protocols
Enhanced compartmentation
Additional oversight and audit
Restricted dissemination lists
SCI requirements add:
SCIF environment mandatory
Special clearance with poly requirements
Compartmented storage and handling
Indoctrination and read-in processes
Strict compartmentation enforcement
Additional reporting requirements
Multi-Level Security (MLS) Considerations
Some defense operations require video conferencing across classification levels simultaneously—for example, coordinating between strategic (SECRET) and tactical (CONFIDENTIAL) operations.
MLS challenges:
Cannot mix classification levels without proper safeguards
Downgrading classified to lower levels requires authorization
Cross-domain solutions required for information transfer
Separate systems typically required for each level
Guards prevent unauthorized information flow
MLS video conferencing solutions:
Separate systems for each classification level
Cross-domain video teleconference (VTC) systems
One-way information flow (high to low with guard)
Carefully controlled upgrade/downgrade procedures
Dedicated operator managing security boundary
SCIF-Compatible Video Solutions
Sensitive Compartmented Information Facilities (SCIFs) have unique requirements that eliminate many commercial video conferencing options.
SCIF Requirements Overview
SCIFs are accredited facilities for handling Sensitive Compartmented Information (SCI) and Special Access Programs (SAP). They must meet stringent physical and technical security requirements established by Intelligence Community Directive (ICD) 705.
Physical requirements:
Secure walls, floors, ceilings (construction standards)
Access control systems (biometric, card readers)
Intrusion detection systems (IDS)
Sound masking and acoustic protection
Visual privacy (no windows to outside)
Secure storage for classified materials
Proper power and grounding
Technical requirements:
TEMPEST/EMSEC protection (emissions security)
Air-gapped IT systems
Approved cryptographic equipment
Secure telecommunications
Proper electromagnetic shielding
No unauthorized wireless devices
Counter-surveillance measures
Video Conferencing in SCIF Environments
Challenge 1: Air-Gap Requirement
SCIFs processing SCI typically operate air-gapped from external networks. Commercial cloud video platforms cannot function air-gapped.
Solution: Platform must operate completely autonomously:
All servers within SCIF boundary
No external connectivity required for functionality
Local authentication (no cloud auth services)
On-premise AI processing (no external AI services)
Self-contained updates via secure delivery
Challenge 2: TEMPEST/EMSEC Protection
Video conferencing equipment emits electromagnetic radiation that could be intercepted. SCIF requirements mandate TEMPEST protection.
Solution: Equipment must be:
TEMPEST certified (NSA approved)
Properly shielded
Installed per TEMPEST guidelines
Maintained to TEMPEST standards
Periodically re-certified
Challenge 3: Camera and Audio Security
Cameras and microphones in SCIF create security risks—they could potentially be activated remotely or compromised.
Solution: Hardware security controls:
Physical disconnect switches
Hardware indicators (LED) showing active state
Tamper-evident seals
Regular technical surveillance countermeasures (TSCM) sweeps
Proper storage when not in use (secure cabinet)
Challenge 4: Recording and Storage
SCIF discussions often involve information requiring special handling. Recordings must be protected at appropriate classification level.
Solution: Secure recording architecture:
Recordings stored within SCIF boundary
Encryption at rest with proper key management
Access controls based on clearance and need-to-know
Retention and destruction per classification requirements
Audit trail of all access to recordings
SCIF Video Conferencing Architecture Example
Classified SCIF Video System (SECRET/SCI):
Within SCIF boundary:
- Video conferencing servers (classified network)
- Storage arrays (classified, encrypted)
- Authentication infrastructure (classified PKI)
- Management consoles (within SCIF)
- Endpoints (TEMPEST certified)
- Recording systems (classified storage)
No external connections:
- Complete air-gap from unclassified networks
- No internet connectivity
- No vendor remote access
- All administration local
Cross-domain capability:
- Separate unclassified system outside SCIF
- Cross-Domain Solution (CDS) between systems
- One-way or controlled two-way information flow
- Human review of transferred information
- Audit of all cross-domain transfers
Accreditation Process for SCIF Video Systems
Installing video conferencing in SCIF requires accreditation from appropriate authority (typically Cognizant Security Authority or Intelligence Community).
Accreditation steps:
- Design Review: Submit technical architecture for approval
- Physical Security: Verify SCIF meets requirements for equipment
- TEMPEST Certification: Ensure electromagnetic security
- Technical Security: Validate encryption, access controls, audit
- Operational Security: Document procedures for use
- Certification Testing: Independent assessment of implementation
- Risk Assessment: Evaluate and accept residual risks
- Accreditation Decision: Authority grants approval to operate
Timeline: 6-18 months depending on classification level and complexity
ITAR Compliance for Defense Communications
International Traffic in Arms Regulations (ITAR) control export of defense-related articles, services, and technical data. Video conferencing discussing ITAR-controlled information requires specific compliance measures.
What ITAR Controls
Defense articles: Military hardware, software, technology
Defense services: Technical assistance, training, engineering support
Technical data: Blueprints, plans, diagrams, specifications, software source code
ITAR controlled discussions might include:
Weapon system design and specifications
Military vehicle engineering
Aerospace and missile technology
Firearms and ammunition technical data
Military electronics and communications
Satellite technology and components
Night vision and thermal imaging
Military training and tactics
ITAR Requirements for Video Conferencing
Data Location Requirements
ITAR technical data must remain within United States or be properly exported under authorization.
Compliant architecture:
- All servers physically located in United States
- All data storage within U.S. territory
- All data processing within United States
- No replication to foreign data centers
- No foreign personnel with data access
- Verification of data location
Non-compliant architecture:
- Cloud platforms with global data centers
- Data replication for optimization
- Foreign-based support personnel
- Data processing in foreign countries
- Content delivery networks outside U.S.
Access Control Requirements
Only U.S. persons (citizens and permanent residents) and authorized foreign nationals may access ITAR technical data.
Compliant controls:
- Verification of citizenship/residency before access
- Separate systems for ITAR vs. non-ITAR discussions
- Guest access restrictions
- Audit logging of all participants
- Regular access reviews
Non-compliant approaches:
- Open meeting links without access controls
- No verification of participant eligibility
- Foreign nationals joining without authorization
- Vendor support from foreign locations
- Cloud platforms with foreign administrators
Export Authorization Requirements
Sharing ITAR technical data with foreign nationals (even within U.S.) or foreign entities requires export authorization from Department of State.
Required for:
- Foreign national employees accessing data
- Coalition partners receiving information
- International joint ventures
- Foreign subsidiary access
- Training foreign military personnel
Authorization types:
- Technical Assistance Agreement (TAA)
- Manufacturing License Agreement (MLA)
- License for export
- License exception
- Exemption (limited circumstances)
ITAR Violation Consequences
ITAR violations carry severe penalties and consequences.
Civil penalties:
- Up to $500,000 per violation
- Debarment from export privileges
- Consent agreements with compliance requirements
Criminal penalties:
- Up to $1 million per violation
- Up to 20 years imprisonment
- Felony conviction
Business consequences:
- Loss of defense contracts
- Mandatory disclosure of violations
- Enhanced compliance monitoring
- Reputation damage
- Loss of competitive advantage
ITAR Compliance Checklist for Video Conferencing
- [ ] Platform architecture verified to keep all data within United States
- [ ] No foreign data center replication or processing
- [ ] Access controls verify U.S. person status before ITAR discussions
- [ ] Export authorizations obtained for foreign national participants
- [ ] Audit logging tracks all participants and access
- [ ] Recordings stored securely with proper access controls
- [ ] ITAR compliance training completed by users
- [ ] Vendor personnel accessing systems are U.S. persons
- [ ] Regular audits verify continued compliance
- [ ] Incident response plan for potential violations
Cross-Domain Solutions (CDS)
Cross-Domain Solutions enable information transfer between systems operating at different classification levels while enforcing security policies.
Why Cross-Domain Solutions Matter
Defense operations frequently require communication between different security domains:
Strategic headquarters (SECRET) coordinating with tactical units (CONFIDENTIAL)
Intelligence agencies (TS/SCI) providing information to operational commands (SECRET)
Classified program offices (SECRET) interfacing with contractors (CUI/UNCLASSIFIED)
Coalition operations (CONFIDENTIAL) coordinating with partner nations (UNCLASSIFIED)
Without CDS, these communications require completely separate meetings at the lowest classification level—losing valuable higher-classified context.
Types of Cross-Domain Solutions
1. One-Way Transfer (Data Diode)
Information flows one direction only—from higher classification to lower.
Use cases:
- Disseminating intelligence products from classified to unclassified users
- Providing classified guidance to unclassified operations
- Downgrading approved information for broader distribution
Security:
- Physical or logical one-way enforcement
- No return path for malware or data exfiltration
- Lower risk profile than two-way solutions
Limitations:
- No interactive communication
- Cannot receive responses or questions
- Information must be pre-approved for downgrade
2. Two-Way Transfer with Guard
Bidirectional information flow with security guard enforcing policy.
Use cases:
- Video teleconferences between classification levels
- Collaborative work across security domains
- Interactive briefings with Q&A
Security:
- Guard inspects all information transfers
- Policy enforcement (content filtering, data validation)
- Human review of transferred information (some implementations)
- Audit logging of all transfers
Complexity:
- Requires accreditation at high-side classification level
- Policy definition and enforcement challenging
- Performance considerations for real-time video
3. Manual Transfer
Human reviews information before transfer between domains.
Use cases:
- When automated guards cannot assess classification
- Complex information requiring judgment
- High-assurance requirements
Security:
- Human judgment for classification decisions
- Highest assurance level
- Accountability through human review
Limitations:
- Cannot support real-time video
- Labor intensive
- Throughput limited by human review speed
Cross-Domain Video Conferencing Architecture
Typical CDS video implementation:
High-Side (Classified) Components:
- Classified video conferencing system
- Classified network connectivity
- SCIF endpoints
- Classified recording/storage
Cross-Domain Solution:
- NSA-certified CDS appliance
- Policy enforcement engine
- Inspection and filtering
- Audit and logging
- Guards monitoring transfers
Low-Side (Unclassified) Components:
- Unclassified video system
- Standard network
- Regular endpoints
- Unclassified storage
Information Flow:
- Video/audio streams filtered through CDS
- Content inspection (if required)
- Metadata sanitization
- Watermarking of transferred information
- Comprehensive audit trail
CDS Accreditation Requirements
Cross-Domain Solutions require rigorous accreditation process.
NSA CCEVS (Common Criteria Evaluation and Validation Scheme):
- Product-level evaluation and certification
- Validation that product meets security requirements
- Testing by accredited laboratories
System Accreditation:
- Specific implementation assessment
- Verification of proper configuration
- Testing of policy enforcement
- Risk assessment and acceptance
- Operational test and evaluation
Ongoing Monitoring:
- Continuous monitoring of CDS operations
- Regular security testing
- Configuration management
- Incident response procedures
- Periodic re-accreditation
Timeline: 12-24 months for new CDS implementation including accreditation
Operational Considerations
Latency:
CDS adds processing delay to video streams (inspection, filtering). For real-time video, latency budget is critical.
Typical CDS latency: 50-500ms depending on implementation
Acceptable for video: <200ms
Mitigation: Purpose-built video CDS with optimized inspection
Classification Marking:
All information transferred through CDS must be properly marked.
Video watermarking: Visible classification banners on video streams
Audio announcements: Periodic classification level announcements
Metadata tagging: Classification embedded in technical metadata
User Experience:
CDS can impact usability if not properly implemented.
Challenges:
- Delayed audio/video synchronization
- Filtering creating gaps in communication
- Complex connection procedures
- Training requirements for proper use
Mitigations:
- Purpose-built video CDS solutions
- Streamlined user workflows
- Comprehensive user training
- Clear operational procedures
Coalition Partner Communication
Defense operations frequently involve coalition partners from allied nations. Sharing information with foreign partners requires special considerations.
Information Sharing Authorities
NATO:
NATO SECRET and below can be shared with all NATO members
Special agreements for specific programs
Caveats control further dissemination
NATO Communications and Information Agency (NCIA) provides infrastructure
FVEY (Five Eyes – US, UK, Canada, Australia, New Zealand):
Intelligence sharing partnership
Highest level of trust and information exchange
Special releasability markings (REL TO FVEY)
Integrated intelligence operations
Bilateral Agreements:
Country-specific sharing arrangements
Technology transfer agreements
Joint program security requirements
Foreign disclosure authorization required
Technical Requirements for Coalition Communications
1. Releasability Controls
System must enforce releasability markings and prevent unauthorized disclosure to partners not authorized for specific information.
Implementation:
- Attribute-based access control
- Releasability marking enforcement
- Segregation by partnership agreement
- Audit of all partner access
2. National Caveat Support
Partners may add national caveats restricting further dissemination.
Examples:
- “REL TO USA, GBR” (release to US and UK only)
- “NOFORN” (no foreign dissemination)
- “ATOMAL” (NATO atomic information)
- National originator control
System requirements:
- Track and enforce caveats
- Prevent unauthorized removal
- Cascade caveats to derived information
3. Partner Network Connectivity
Coalition communications require secure connections between partner networks.
Options:
Dedicated circuits: Physical connections between partner facilities
VPN over internet: Encrypted tunnels (carefully controlled)
NATO infrastructure: Dedicated NATO networks
Gateway approach: Controlled interface between national networks
4. Classification Equivalency
Partners use different classification systems. Must establish equivalency mappings.
| U.S. Classification | NATO | UK | Australia |
| UNCLASSIFIED | UNCLASSIFIED | UNCLASSIFIED | UNCLASSIFIED |
| CONFIDENTIAL | NATO CONFIDENTIAL | CONFIDENTIAL | CONFIDENTIAL |
| SECRET | NATO SECRET | SECRET | SECRET |
| TOP SECRET | COSMIC TOP SECRET | TOP SECRET | TOP SECRET |
System must:
- Support multiple classification schemes
- Enforce highest equivalent classification
- Prevent classification confusion
- Properly mark information for each partner
Coalition Video Conferencing Architecture
U.S. Classified Network:
- SECRET video system
- U.S. users only
- Full audit and control
Coalition Information Sharing System:
- Releasable information only
- Multi-national access
- Caveat enforcement
- Per-partner audit
Partner National Networks:
- Each partner’s classified systems
- National control
- Integration with coalition system
Information Flow:
- U.S. users release authorized information to coalition system
- Coalition system enforces releasability and caveats
- Partners access through secure connections
- All access logged and auditable
Military-Specific Use Cases
Defense video conferencing serves unique use cases with specific security requirements.
Operational Command and Control
Use case: Commanders conducting operations need secure video communications for command and control.
Requirements:
- Mobile/tactical deployable systems
- Denied environment operation (no internet)
- Hardened against jamming and interference
- Rapid setup and teardown
- Minimal bandwidth consumption
- Integration with tactical networks
Security considerations:
- Operations security (OPSEC)
- Communications security (COMSEC)
- Emission control (EMCON) when necessary
- Counter-surveillance
- Tactical authentication
Example implementation:
- Ruggedized portable VTC systems
- Satellite communications backup
- Multi-level security support
- Mesh networking capability
- Battery-powered operation
Intelligence Operations
Use case: Intelligence agencies conducting sensitive operations require maximum security for planning and coordination.
Requirements:
- SCI/SAP handling capability
- SCIF-based communications
- Compartmented information controls
- Need-to-know enforcement
- Source protection
Security considerations:
- Counter-intelligence measures
- Special access program requirements
- Originator control
- Read-in verification
- Sophisticated OPSEC
Joint and Coalition Operations
Use case: Multi-national operations requiring coordination across services and partner nations.
Requirements:
- Multi-classification level support
- Coalition releasability enforcement
- Service-specific requirements (Army, Navy, Air Force, Marines)
- Interoperability across systems
Security considerations:
- Complex releasability matrices
- National caveat enforcement
- Service-specific classification guides
- Third-party rule (originator approval for sharing)
Defense Contractor Program Offices
Use case: Program offices managing classified defense acquisition programs need secure communications with contractors and government stakeholders.
Requirements:
- CUI/ITAR compliance
- CMMC requirements for contractors
- Program security requirements
- Acquisition sensitive information protection
Security considerations:
- Organizational conflict of interest
- Procurement integrity
- Competition sensitive information
- Technical data protection
CMMC Requirements for Defense Contractors
Cybersecurity Maturity Model Certification (CMMC) establishes cybersecurity standards for defense contractors handling Controlled Unclassified Information (CUI).
CMMC Levels and Video Conferencing
CMMC Level 1: Foundational (17 practices)
Basic cybersecurity hygiene. Rarely sufficient for video conferencing handling CUI.
CMMC Level 2: Advanced (110 practices)
Implements NIST SP 800-171 requirements. Minimum required for most defense contractors handling CUI.
Video conferencing requirements:
- Access control (AC) – multi-factor authentication, least privilege
- Audit and accountability (AU) – comprehensive logging
- Identification and authentication (IA) – unique user identification
- System and communications protection (SC) – encryption in transit and at rest
- Media protection (MP) – sanitization and disposal controls
CMMC Level 3: Expert (110+ practices)
Enhanced security for high-value assets and critical programs.
Additional requirements:
- Advanced/persistent cyber threat protection
- Enhanced detection capabilities
- Asset management and dependency mapping
- Supply chain risk management
Key CMMC Requirements for Video Conferencing
Access Control (AC.L2-3.1.1 through AC.L2-3.1.22):
AC.L2-3.1.1: Limit system access to authorized users
AC.L2-3.1.2: Limit system access to authorized transactions
AC.L2-3.1.3: Control flow of CUI
AC.L2-3.1.5: Employ principle of least privilege
AC.L2-3.1.12: Monitor and control remote access
AC.L2-3.1.20: External system connections require authorization
Implementation for video conferencing:
- Multi-factor authentication required
- Role-based access control
- Session timeout enforcement
- Recording access controls
- No guest access for CUI discussions
Audit and Accountability (AU.L2-3.3.1 through AU.L2-3.3.9):
AU.L2-3.3.1: Create audit records
AU.L2-3.3.2: Ensure actions can be traced to users
AU.L2-3.3.3: Review and update logged events
AU.L2-3.3.5: Correlate audit record review and analysis
AU.L2-3.3.8: Protect audit information and tools
AU.L2-3.3.9: Limit audit record management
Implementation for video conferencing:
- Log all access attempts
- Log administrative actions
- Log configuration changes
- Protect logs from tampering
- Retain logs per requirements
- Regular log review
System and Communications Protection (SC.L2-3.13.1 through SC.L2-3.13.16):
SC.L2-3.13.8: Implement cryptographic mechanisms
SC.L2-3.13.11: Employ FIPS-validated cryptography
SC.L2-3.13.15: Protect authenticity of communications sessions
SC.L2-3.13.16: Protect confidentiality of CUI at rest
Implementation for video conferencing:
- FIPS 140-2 validated encryption
- TLS 1.2 minimum for data in transit
- Encryption for recordings at rest
- Cryptographic authentication
CMMC Assessment Process
Contractors must undergo third-party assessment to achieve CMMC certification.
Assessment steps:
- Scoping: Define assessment boundary (which systems handle CUI)
- Gap Analysis: Identify control gaps before formal assessment
- Remediation: Implement missing controls
- Pre-Assessment: Internal verification of readiness
- Formal Assessment: C3PAO (Certified Third-Party Assessment Organization) conducts assessment
- Certification: If passing score achieved, certificate issued
- Continuous Compliance: Maintain controls, periodic reassessment
Timeline: 6-18 months from gap analysis to certification
Costs:
- Remediation: $50,000-$500,000+ depending on gaps
- Assessment: $15,000-$100,000 depending on scope
- Ongoing compliance: $20,000-$100,000 annually
Common CMMC Failures for Video Conferencing
Failure 1: Using commercial cloud platforms without proper controls
Platform stores CUI in multi-tenant cloud, violates data isolation and encryption requirements.
Remediation: Deploy on-premise or government cloud with proper controls.
Failure 2: Inadequate access controls
Password-only authentication, no MFA, broad permissions.
Remediation: Implement MFA, least privilege access, regular access reviews.
Failure 3: Insufficient audit logging
Minimal logging, logs not reviewed, no tamper protection.
Remediation: Comprehensive logging, log protection, regular review, SIEM integration.
Failure 4: No encryption for recordings
Meeting recordings stored unencrypted, inadequate access controls.
Remediation: Encrypt recordings at rest, implement strict access controls, retention policies.
Failure 5: Vendor access to CUI
Vendor support personnel have access to CUI systems without proper controls.
Remediation: Limit vendor access, ensure proper authorization, audit all vendor activities.
Comparison: Defense Video Solutions
Let’s compare different approaches to defense video conferencing.
| Aspect | Commercial Cloud | FedRAMP Cloud | Government Cloud | On-Premise (Convay) |
| Classification Support | UNCLASSIFIED only | CUI/UNCLASSIFIED | CUI/UNCLASSIFIED | Up to TS/SCI |
| SCIF Deployment | Not possible | Not possible | Limited | Full support |
| Air-Gap Capable | No | No | No | Yes |
| ITAR Compliant | Difficult | Possible | Yes | Yes |
| CDS Integration | Not supported | Limited | Limited | Native support |
| CMMC Suitable | No (Level 1 only) | Yes (Level 2) | Yes (Level 2+) | Yes (Level 3) |
| Key Management | Vendor | Shared | Shared | Customer |
| NSA Type 1 Encryption | No | No | No | Supported |
| Vendor Access | Extensive | Controlled | Limited | Zero (customer choice) |
| Coalition Support | Limited | Limited | Possible | Full support |
| Tactical Deployable | No | No | Limited | Yes |
| Audit Completeness | Limited | Moderate | Good | Complete |
| Certification Complexity | Very High | High | Moderate | Clear path |
How Convay Meets Defense Requirements
Throughout this guide, I’ve provided defense-agnostic security guidance. Now let me explain how Convay specifically addresses defense agency requirements.
Defense-Grade Architecture
Built for National Security from Day One
Convay wasn’t adapted from commercial platform—it was architected specifically for defense and intelligence requirements.
Design principles:
- Air-gap operation capability
- Classification-aware architecture
- SCIF-compatible deployment
- Cross-domain solution integration
- Coalition information sharing support
- OPSEC and COMSEC by design
Classification Level Support
UNCLASSIFIED through TOP SECRET/SCI
Convay supports full range of classification levels with appropriate security controls for each.
Features per classification:
- Proper classification marking and banners
- Compartmented information handling
- Need-to-know enforcement
- Spillage prevention mechanisms
- Sanitization for downgrading
SCIF Deployment
Complete SCIF Compatibility
Convay operates entirely within SCIF boundary with no external dependencies.
SCIF-specific features:
- Air-gapped operation
- TEMPEST certified configurations available
- Physical security integration
- No vendor remote access required
- Local administration and management
Cross-Domain Solutions
Native CDS Integration
Convay integrates with NSA-certified Cross-Domain Solutions for multi-level operations.
CDS capabilities:
- One-way and two-way transfer support
- Video/audio stream filtering
- Metadata sanitization
- Classification marking enforcement
- Comprehensive audit trails
ITAR Compliance
Built for ITAR from Ground Up
Convay’s U.S.-based architecture inherently supports ITAR requirements.
ITAR features:
- All infrastructure within United States
- No foreign data processing or storage
- U.S. person verification support
- Export authorization tracking
- Comprehensive audit for ITAR compliance
CMMC Certification Support
CMMC Level 2 and Level 3 Ready
Convay provides controls required for CMMC certification.
CMMC support:
- All required access controls
- Comprehensive audit logging
- FIPS 140-2 validated encryption
- Configuration management
- Incident response integration
- Assessment evidence collection
Coalition Partner Support
Multi-National Operations Ready
Convay supports complex coalition information sharing requirements.
Coalition features:
- Releasability marking enforcement
- National caveat support
- Multiple classification scheme support
- Per-partner access controls and audit
- Third-party rule enforcement
Tactical and Deployed Operations
Mobile and Hardened Configurations
Convay supports tactical deployments in challenging environments.
Tactical features:
- Ruggedized hardware options
- Low-bandwidth optimization
- Satellite communications support
- Rapid deployment capability
- Denied environment operation
Frequently Asked Questions
Q: Can we use Zoom or Teams for classified communications?
A: No. Commercial cloud platforms cannot be used for classified information. They lack required encryption (NSA Type 1), cannot operate in SCIFs, and don’t support necessary classification controls. Use platforms specifically designed for classified communications.
Q: What’s the difference between CMMC and FISMA?
A: FISMA applies to federal agencies; CMMC applies to defense contractors. FISMA uses NIST 800-53 controls; CMMC uses NIST 800-171. Both require similar security rigor but different compliance processes.
Q: How long does it take to get Authority to Operate (ATO) for classified video system?
A: Typically 12-24 months from initial planning to ATO, depending on classification level and system complexity. Higher classifications and more complex architectures take longer.
Q: Do we need separate video systems for each classification level?
A: Generally yes, unless you implement Multi-Level Security (MLS) system with appropriate guards and accreditation. Separate systems are simpler and lower risk.
Q: Can defense contractors use the same video platform for CUI and non-CUI work?
A: Technically possible if properly segregated and controlled, but most contractors find separate systems clearer for CMMC compliance and reduces risk of CUI spillage.
Q: What’s the cost difference between commercial and defense-grade video conferencing?
A: Defense-grade solutions typically cost 3-5x more in initial deployment but often have lower long-term costs due to no per-user licensing, no annual increases, and reduced compliance overhead.
Q: How do we handle coalition partners with different security requirements?
A: Implement releasability controls, support multiple classification schemes, maintain per-partner audit trails, and enforce national caveats. Purpose-built systems like Convay provide these capabilities natively.
Q: Can we deploy classified video conferencing in tactical/deployed environments?
A: Yes, with ruggedized equipment, satellite communications, and proper COMSEC. Requires careful planning for denied environments and operational security.
Conclusion: Security Matches the Mission
The defense agency from our opening story completely rebuilt their video conferencing approach after the security incident. They moved from commercial cloud to on-premise classified system. They implemented proper cross-domain solutions. They established SCIF-compatible deployments.
One year later, their Authorizing Official told me: “The commercial platform was cheaper initially. But we couldn’t actually use it for our mission. We had to avoid discussing anything classified. We worried constantly about accidental spillage. Operations suffered because communications were inadequate.”
“The defense-grade system cost more upfront. But now we communicate freely at appropriate classification levels. No more ‘we’ll discuss offline’ because the platform can’t handle it. No more security incidents because architecture finally matches requirements. The total cost—including operational effectiveness—is dramatically lower.”
Defense communications require defense-grade solutions.
Commercial platforms optimized for global business collaboration cannot be retrofitted for national security. Cloud architectures optimized for scalability and cost cannot operate in SCIFs or denied environments. Platforms designed for convenience cannot enforce classification controls and compartmentation.
Your video conferencing enables mission-critical communications:
- Operational planning and execution
- Intelligence operations and coordination
- Coalition partner collaboration
- Classified program management
- Tactical command and control
- Strategic decision-making
These communications require security commensurate with their importance.
Choose platforms architected specifically for defense requirements. Deploy in configurations that enable mission success while protecting national security. Implement proper controls for classification levels you handle. Achieve and maintain required certifications.
And when your mission demands the highest level of secure communications—choose solutions built specifically for defense from the ground up.