Enclave Excellence: Elevating Your CMMC 2.0 Compliance Game
The Department of Defense (DoD) has made several updates to their Cybersecurity Maturity Model Certification (CMMC) Program over the last several years.
The new CMMC Model 2.0 has 3 levels of maturity instead of the initial 5 levels in CMMC Model 1.0. To comply with the most basic level 1 maturity in the new model, 15 requirements must be met, and an annual self-assessment and annual affirmation must be performed. While the new Cybersecurity Maturity Model Certification (CMMC) Program 2.0 is still in the rulemaking phase and not yet contractually required, contractors and subcontractors who process, store, and transmit Controlled Unclassified Information (CUI) should start preparing to be CMMC 2.0 compliant. This compliance can seem daunting at first glance; organizations looking to achieve level 2 or 3 compliance with CMMC 2.0 must meet, at a minimum, 110 requirements based on NIST 800-171. However, organizations should understand that their entire network is not mandated to be CMMC 2.0 compliant should they decide to implement a CUI enclave. |
Understanding Controlled Unclassified Information (CUI) EnclavesCUI enclaves can help companies to reduce efforts and costs while meeting DoD CMMC compliance requirements. A CUI enclave can be helpful to limit the areas that must be protected to meet CMMC 2.0 specifications. Consider an enclave as a box; all CUI in an organization lives within it and must pass through its borders when being transmitted. Data that flows into or out of the enclave is more streamlined with the smaller perimeter and can be more easily controlled. Additionally, it is easier to manage who has access to CUI systems, and to provide the required training to only these resources instead of to an entire organization. There are a variety of benefits to CUI enclaves, including:
Organizations can choose to build their own enclaves or opt to use a managed enclave solution, and there are advantages and drawbacks to both methods.
If choosing to work with a third-party, the provider should deliver a shared responsibilities matrix (SRM), detailing exactly which parts of enclave management each party is responsible for. This SRM should be considered during the vendor selection process, as it is crucial to choose an enclave that meets your organization’s specific requirements. |
The Bottom Line on CUI Enclaves for DoD CMMC 2.0 ComplianceCUI enclaves can help organizations comply with CMMC 2.0 requirements while minimizing the cost and effort to do so. These enclaves also provide clearer visibility to security controls surrounding CUI, result in fewer business disruptions, and expedite the compliance process. Organizations who are considering a CUI enclave should evaluate whether a self-managed or externally hosted enclave best fits their needs. |