What are Enclaves and Why Are They Important for Handling CUI?
One of our country’s more important assets is its information. The U.S. IT infrastructure carries private information covering things like financial information, private information, defense and military information or information that is critical to the operation of government agencies. Some information is classified, and some, while not deemed sensitive enough to classify, are protected as Controlled Unclassified Information, or CUI.
CUI is protected under government regulation, which means that if your business wants to work with federal or defense agencies, it must meet regulations to participate.
What is an Enclave in Cybersecurity?
There is no 100% secure system. This is the premise that cybersecurity is built on. One of the reasons that security as a practice is so difficult is that software is both incredibly complex and prone to vulnerabilities (probably due to this complexity).
To address these limitations, security experts and regulators rely on several different ways to protect the information, based on potential attack surfaces:
- Software encryption: Probably the most well-known and lowest-cost method of data protection is using an encryption algorithm to obfuscate data either during transit (like Transport Layer Security, or TLS) or at rest in a server (like AES-256). Encryption can make it so that stolen data cannot be read by the thief, rendering it basically useless.
- Hardware encryption, aka Hardware Security Modules (HSMs): These modules use physical sources of entropy (randomness) to generate encryption services for specific applications in a system, including additional areas like boot sectors, biometric key storage or other physical systems.
The former is always required by almost every compliance framework. However, there is a limit to where you can encrypt data. For example, data that moves through your systems, even if encrypted, implicates employees and systems as part of necessary compliance standards. That is, even if data is encrypted if your people contact it, they (and their systems) must undergo audits under regulations.
That’s why some security firms are turning to what’s called an “Enclave”, where software and hardware are configured to create a clear separation between people who are authorized to access data and those that are not. This includes protective security tools, hardware controls and data management tools to direct how CUI moves through the system.
Even better, these enclaves can be deployed permanently or temporarily as part of a contract. In the former case, you can maintain separation internally, while in the latter you can create compliant ways to interact with third parties and vendors that can be then destroyed after the fact.
How Does CMMC Impact Handling CUI?
Controlled Unclassified Information (CUI) is data that hasn’t been classified for national security purposes but that requires special security safeguards to control dissemination, maintain privacy and ensure security. This information designation is most often used in defense contracting with contractors or subcontractors working with Department of Defense (DoD) agencies or specific Executive Branch agencies. The collective of agencies, contractors and subcontractors is called the Defense Industrial Base (DIB).
The Cybersecurity Maturity Model Certification (CMMC) framework is the newest governing security framework for the handling of CUI. CMMC is broken down into levels that outline the capabilities and practices that an organization must have to meet that level and, thus, handle specific kinds of data for defense agencies.
To handle CUI, your business must meet CMMC Level 3 at a minimum. At this level, your organization must maintain “Good” cyber hygiene as defined in NIST SP 800-171 and DFARS alongside the ability to create, implement, maintain, manage and resource plan for organization-wide security systems.
At Level 3, your organization has implemented several types of security controls that include:
- Implementing DNS filtering services
- Analyzing and prioritizing security events and their resolution and remediation
- Completing regular and secured data backups of all CUI
- Deploying spam protection, anti-malware software, and firewall controls
- Utilizing encryption for all CUI at rest and in transit
- Endpoint security for mobile devices, including encryption
- Collecting audit log information and performing audit reviews
- Using multi factor authentication
And others. All told, CMMC Level 3 has 58 required practices you must meet before handling CUI. This is true for all systems and all employees in your organization.
What are the Advantages and Disadvantages of Using an Enclave Approach?
The more systems and people that interact with CUI, the more complex your compliance efforts are going to get. That’s where the enclave approach supports more effective compliance. This can get even more troublesome if you are considering using a public or private cloud solution.
For example, commercial Microsoft products are not CMMC compliant. Microsoft offers what they call the GCC High to help contractors meet DoD contracting requirements. However, this approach includes a costly migration to Microsoft servers, and these servers will house your entire IT infrastructure.
And that means the entire infrastructure: all employees, all databases, everything.
The enclave approach can, when configured correctly, provide advantages over complex compliance upgrades or third-party migrations. In fact, according to CMMC regulations, the deployment of a secure enclave can mitigate the need to secure an entire infrastructure, so long as that enclave meets CMMC Level 3 requirements.
Handling CUI isn’t the only place where you can take advantage of enclaves. For example, handling classified data through networks like the Secret Internet Protocol Router Network (SIPRNet) that carries classified information securely.
In both cases, you can sequester CUI or classified data in specific locations with tightly controlled access and security measures that minimize who must be trained and audited in your organization.
Managing government data appropriately is a tall order, which is why government frameworks like CMMC are so exacting. Translating those guidelines across an entire organization can be a huge challenge for anybody, not to mention expensive.
If you find yourself or your organization ready to step into DoD contracting or the handling of CUI or classified information, work with security partners that can automate compliance and minimize your compliance footprint with advanced technologies.
Lazarus Alliance is a certified C3PAO that offers full-service risk assessment and risk management services helping enterprise businesses and SMBS sustain a proactive cybersecurity and compliance strategy that meets requirements for frameworks including CMMC, FedRAMP and HIPAA. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help you as an authorized CMMC C3PAO.