This is from the 32 CFR CMMC Final Rule and Scoping Guide for Level 2:

An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.

Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI.

So assuming that the company can justify it’s VDI client meets the requirements described above, the devices using the VDI client are out-of-scope assets.

How would these out-of-scope assets be treated when looking at Assessment Objectives such as:

AC L1-3.1.1 (c) Devices (and other systems) authorized to connect to the system are identified.

AC L1-3.1.1 (f) System access is limited to authorized devices (including other systems).

IA L1-3.5.1 (c) Devices accessing the system are identified.

IA L1-3.5.2 (c) The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Would it meet requirements to respond with something like the following?

Devices authorized to connect to the system are identified by unique identifiers [… examples here…], except those devices connecting through the company authorized VDI client which is configured to prevent any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client.

System access is limited to devices using the company authorized VDI client, or devices/systems that are specifically identified and authorized to access the system.