Intelligence in Compliance
Getty Images 2156677072

Enclave Excellence: Elevating Your CMMC 2.0 Compliance Game

The Department of Defense (DoD) has made several updates to their Cybersecurity Maturity Model Certification (CMMC) Program over the last several years.

  • In November 2021, the DoD announced CMMC Model 2.0, which streamlined the CMMC process and aligned with National Institute of Standards and Technology (NIST) standards.
  • In December 2023, the DoD proposed a new rule for the Federal Register which would formally establish the CMMC program, mandating that contractors and subcontractors expand their security requirements to cover both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The new CMMC Model 2.0 has 3 levels of maturity instead of the initial 5 levels in CMMC Model 1.0. To comply with the most basic level 1 maturity in the new model, 15 requirements must be met, and an annual self-assessment and annual affirmation must be performed.

While the new Cybersecurity Maturity Model Certification (CMMC) Program 2.0 is still in the rulemaking phase and not yet contractually required, contractors and subcontractors who process, store, and transmit Controlled Unclassified Information (CUI) should start preparing to be CMMC 2.0 compliant.

This compliance can seem daunting at first glance; organizations looking to achieve level 2 or 3 compliance with CMMC 2.0 must meet, at a minimum, 110 requirements based on NIST 800-171. However, organizations should understand that their entire network is not mandated to be CMMC 2.0 compliant should they decide to implement a CUI enclave.

Understanding Controlled Unclassified Information (CUI) Enclaves

CUI enclaves can help companies to reduce efforts and costs while meeting DoD CMMC compliance requirements. A CUI enclave can be helpful to limit the areas that must be protected to meet CMMC 2.0 specifications.

Consider an enclave as a box; all CUI in an organization lives within it and must pass through its borders when being transmitted. Data that flows into or out of the enclave is more streamlined with the smaller perimeter and can be more easily controlled. Additionally, it is easier to manage who has access to CUI systems, and to provide the required training to only these resources instead of to an entire organization.

There are a variety of benefits to CUI enclaves, including:

  • Cost Efficiency: It is much simpler and more cost effective to protect data that is isolated within a new segment of an organization, as opposed to letting data flow freely and deploying enhanced protections across various aspects of the network. Security controls required for CUI are often significantly more stringent than those needed for other types of data; for example, using FIPS-validated cryptography on all devices processing or storing CUI. If an organization applies CMMC requirements to their entire network, the costs can rapidly add up.
  • Visibility to CUI Protections: Limiting the area where CUI is located can allow enhanced visibility to the specific controls surrounding this data, and to the individuals who have access to it. Patches that are released for systems used in the enclave can be more easily viewed and deployed on this smaller scale. Additionally, if controls or technologies must be updated, technology teams can manage this more quickly and efficiently in the compact environment.
  • Expedited Compliance Process: Building off the above point, a smaller footprint for CUI results in a smaller scope for audits. Instead of requiring an organization’s entire network to meet CMMC standards, having a segregated spot for CUI to reside allows audits to focus on one specific area, expediting the process.
  • Minimized Business Disruptions: It can be challenging to implement all controls required to obtain CMMC 2.0 compliance, especially if an organization must deploy them across their entire network. By using an enclave, organizations can limit the disruptions to the business, because most changes will happen only to the enclave instead of to all information system(s). Business operations can thus continue as usual, while the enclave is created and protected.

Organizations can choose to build their own enclaves or opt to use a managed enclave solution, and there are advantages and drawbacks to both methods.

  • Self-managed enclaves allow an organization to have complete control over their CUI, though this requires a greater effort from the company and can result in additional costs if more staff are required to manage the enclave.
  • Hosted enclaves alleviate much of the responsibility for the contracting organization, as some tasks are completely managed by the enclave provider. However, the costs may appear higher than a self-managed enclave if not considering the personnel required to make the enclave fully functional.

If choosing to work with a third-party, the provider should deliver a shared responsibilities matrix (SRM), detailing exactly which parts of enclave management each party is responsible for. This SRM should be considered during the vendor selection process, as it is crucial to choose an enclave that meets your organization’s specific requirements.

The Bottom Line on CUI Enclaves for DoD CMMC 2.0 Compliance

CUI enclaves can help organizations comply with CMMC 2.0 requirements while minimizing the cost and effort to do so. These enclaves also provide clearer visibility to security controls surrounding CUI, result in fewer business disruptions, and expedite the compliance process.

Organizations who are considering a CUI enclave should evaluate whether a self-managed or externally hosted enclave best fits their needs.

Are you ready to get started?