For defense contractors in the thick of trying to achieve their required Cybersecurity
Maturity Model Certification (CMMC) status, their efforts can be accompanied by a great
deal of stress and frustration. Often, they’ll find that their internal IT systems aren’t fully
prepared for the level of security CMMC demands to protect Controlled Unclassified
Information (CUI). Worse, the effort to upgrade those systems frequently proves to be
more time-consuming and costly than expected. Small- and medium-sized contractors
and subcontractors can be particularly hard hit when the expense of CMMC compliance
threatens to be more expensive than anticipated.
Soon compliance will be a necessity for companies that wish to continue working on
Department of Defense (DoD) contracts, with companies more stringently held to
meeting NIST 800-171 controls. However, the right strategies can significantly lower the
cost of achieving and maintaining compliance. One such method is creating a secure
CMMC enclave.
In an organization entrusted with CUI in the scope of a defense contract, it is highly
unlikely that all employees will be (or should be) handling and accessing that data. A
CMMC assessment will cover all the parts of the organization that have access to CUI,
and the wider that scope is, the more expensive the technology and training to keep that
information secure will be. Establishing a secure enclave allows an organization to
strictly limit that access to only those who need it and reduce how much of their network
must meet all of the CMMC compliance requirements.
According to the CMMC Assessment Process (CAP) from the CyberAB (the
Cybersecurity Maturation Model Certification Accreditation Body), an enclave is “a set of
system resources that operate within the same security domain and that share the
protection of a single, common, and continuous security perimeter. A segmentation of
an organization’s network or data that is intended to ‘wall off’ that network or database
from all other networks or systems.” Thus, rather than having CUI available on the
entire network, an enclave limits it to a specific location in your network. An enclave also
refers to the individuals who can access the CUI, and who thus must be trained on the
protocols for handling it.
Think of it as putting valuables in a safe, and then entrusting only a limited few with the
combination. Creating an enclave means fewer endpoints to protect and assess
compared to trying to bring an entire network up to CMMC compliance, saving time and
money on implementing the requisite technology. Similarly, limiting access to CUI to
only those employees who strictly need to handle it also limits the amount of training
and managing that must be done to meeting the applicable policies and procedures for
compliance.
While the details of what makes an appropriate secure enclave differ by organization,
some general steps will help break down the process of creating one.
Steps In Creating A Secure CMMC Enclave | Instructions |
Define the scope | Begin by assessing where CUI currently lives in the system and who has access to it. If the data is accessible by everyone anywhere on the network, your organization should take a step back to determine who absolutely must handle CUI as part of their work and limit access accordingly. |
Create a compliance boundary | Clearly define where CUI will be held within the system and ensure that boundary is maintained. |
Implement appropriate technologies | Common commercial platforms for routine tasks such as email and file sharing do not support CMMC compliance. Implementing technology for encryption as well as routine tasks such as email and file sharing should be done with the relevant regulations and standards in mind. |
Implement appropriate technologies | Common commercial platforms for routine tasks such as email and file sharing do not support CMMC compliance. Implementing technology for encryption as well as routine tasks such as email and file sharing should be done with the relevant regulations and standards in mind. |
Create policies and procedures | Human error is a frequent cause of security lapses. Policies and procedures that define who manages and handles CUI and the appropriate practices for doing so in a compliant way are critical. |
Conduct a self-assessment | Conducting a self-assessment against the controls laid out in NIST 800-171 will help determine progress in meeting the requirements of CMMC. |
If your organization’s projected costs and timeline for meeting CMMC compliance have
been expanding out of control, Right Click can help with smart, cost-effective strategies.
We can provide case analysis to map an efficient path to compliance, as well as design
a secure enclave to meet the unique requirements of your business. To schedule your
consultation, contact us here today.