What does SC.L2-3.13.12 require for CMMC Level 2?

Collaborative computing devices (webcams, microphones, video conferencing systems) must not be remotely activated. They should activate only when a user explicitly initiates a call or meeting.

What evidence do I need for SC.L2-3.13.12?

Policy prohibiting remote activation, configuration of collaboration software, device hardware controls, and verification that remote activation is disabled.

What's the most common failure for SC.L2-3.13.12?

No policy is documented, or collaboration tools are not configured to prevent remote activation. A guest or attacker could remotely activate a webcam.

SC.L2-3.13.12

SC.L2-3.13.12: Collaborative Computing

Prohibit remote activation of collaborative computing devices.

Updated March 30, 2026

Collaborative computing devices like webcams and microphones can be a privacy and security risk if remotely activated without the user’s knowledge. SC.L2-3.13.12 requires controls to prevent unauthorized remote activation. The assessor will check your policies and configurations. Related to AC.L2-3.1.1 (access control on devices).

Family System and Communications Protection

Practice SC.L2-3.13.12

Difficulty Easy

Key evidence Policy, collaboration software settings, hardware controls

What the assessor is actually evaluating

The assessor will look for:

Documented policy: You should have a policy prohibiting remote activation of collaborative computing devices.
Software configuration: Collaboration tools (Zoom, Teams, Webex) should be configured so that cameras and microphones do not activate unless the user explicitly starts a call.
Hardware controls: Devices should have physical or software controls preventing activation without user action. Some systems have physical camera covers or disconnectable webcams.

What a realistic SSP definition looks like

Policy: “The organization prohibits the remote activation of collaborative computing devices including webcams and microphones. Collaborative tools are configured to require explicit user action to activate audio and video. Webcams must be physically disabled or covered when not in use.”

Supporting details:

Collaboration software: Teams, Zoom, and WebEx are configured with settings that require the user to explicitly start a call before audio/video are activated. Default permissions do not allow background activation.
Device controls: Laptops with built-in webcams are required to have privacy covers or physical shutters. Microphones default to muted.
Group Policy: GPOs enforce that collaborative tools do not auto-activate audio or video.
Hardware: Desktop systems use external webcams that can be unplugged.

How to present your evidence

Policy document: Prohibits remote activation of collaborative devices.
Collaboration software configuration: Screenshots of Teams, Zoom, or WebEx settings showing that camera and microphone activation requires user action.
Group Policy settings: If collaboration tools are configured via GPO, show the policy settings.
Physical controls: Photos of laptops with camera covers or descriptions of hardware used (external webcams that can be unplugged).
Configuration verification: On a sampled system, show that collaborative tools do not automatically activate camera or microphone.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Describe your policy on collaborative computing devices. Can someone remotely activate a camera or microphone?”

You: “No. Our policy requires that collaborative devices remain disabled until a user explicitly activates them. We have physical controls and software settings that enforce this.” [Pull up policy and show a system with a camera cover]

Assessor: “Show me how Teams is configured.”

You: [Open Teams settings and show that camera and microphone are set to require user activation. Demonstrate that neither activates unless you explicitly start a call]

Assessor: “What if someone tries to remotely control the device?”

You: “The configuration prevents it. The user must explicitly enable camera and microphone.” [If applicable, show Group Policy settings]

Common failures

No policy addressing collaborative devices: The organization has not documented requirements for collaborative device activation.

Collaboration tools are not configured: Teams or Zoom is installed with default settings. It is not clear whether remote activation is prevented.

No physical controls: Systems have webcams without covers or locks. Microphones are always active.

Clear policy and configuration: Policy prohibits remote activation. Software is configured to require user action. Physical controls are in place.

Consistent enforcement: All systems follow the policy.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages systems, ensure the MSP is configuring collaboration tools to prevent remote activation. Request evidence that software settings are consistent across all managed systems.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.13: Mobile Code All Practices SC.L2-3.13.11: CUI Encryption →