Whether your trying to score 110 points in your NIST 800-171 self-assessment, or seeking CMMC Level 1 or CMMC Level 3 compliance and certification, this article is for you.
The key to successful CMMC implementation is reducing the scope of the compliance effort. What is compliance scope and why does it matter?
Note: Where I mention CMMC, it generally also applies to NIST 800-171 and CMMC levels 1 through 3.
What Is Compliance Scope?
Scope defines the boundaries around what must meet the compliance requirements and what is out-of-scope. Here are some examples:
- You handle CUI data on your office computer, although others don’t handle CUI. The entire office network is likely in scope.
- You exchange regular unencrypted email containing FCI with another contractor or project sponsor you’re working with. Every system that touches the email is in scope – including the internet (oops!).
- You share files containing CUI with the project team, including prime and subcontractors, using a secure cloud service. The cloud service, and any device you access it from, is in scope. (Note: the other contractors have the same compliance requirements you do per DFARS flow-down requirements.)
- You process FCI from home to using a personally owned computer connected to the office VPN via your home WiFi network. Your home systems and network are in scope.
Why Does Limiting Scope Matter?
CMMC compliance is complex, costly, and time consuming to implement and maintain. All of those factors can be reduced by minimizing what’s in scope for compliance purposes.
For example, consider how much more limited the scope of processing CUI on a standalone laptop that you lock in a safe when not in use would be. Only the laptop would seem to be in scope but it’s not quite that simple. CMMC has other requirements, such as backup, and you’re probably going to need at least some removable media for system updates, so the scope is going to expand a bit. Even so, this is about the minimum scope you can achieve.
In practice, a standalone laptop isn’t likely to meet your needs. You’re not going to be able to communicate with your sponsors, subs, or primes, let alone your own team without a more complex system.
If you’re like most organizations, you have FCI and CUI in a variety of places throughout your network and systems putting pretty much everything in scope. I’ll cover what “everything” means in more detail later on.
Limiting Compliance Scope Using Encryption
Encryption, particularly network and message encryption, is a key factor in determining what’s in scope and what’s out of scope. Imagine using regular email to send CUI to your sponsor. Email is normally unencrypted. At many points, as the email gets routed from network to network, that email message is recorded in log files where it can be viewed by unauthorized parties.
The simple fact of it being unencrypted means the entire internet email system comes into scope. Obviously, that’s not going to be a compliant solution.
By encrypting the email (message encryption), you narrow the scope down to your email system, the network it’s connected to, and the devices you access it from.
The same situation applies to anywhere CUI or FCI is transmitted. You can limit scope to a significant degree by encrypting the data using secure communications protocols like TLS, which you’re using right now to communicate with this website. It won’t automatically remove your entire network from being in scope but it is critical to ensuring the entire internet is out of scope.
Limiting Compliance Scope Using Data Segmentation and Enclaves
Data segmentation is the process separating different data classifications, like separating Covered Data from your internal data, into separate systems or subsystems, often called an “enclave”.
By setting up an enclave specifically for FCI and CUI, you can reduce compliance scope to the the enclave and it’s components. All your non-FCI/CUI data stays where it is and you move all your FCI and CUI into the enclave.
What’s different about an enclave than a standalone system or fully isolated network (such as when handling classified data), is that it can still interact with systems outside of the enclave. For example, you conveniently access the enclave from your usual computer, typically via a remote desktop application or web browser.
Enclaves can greatly limit compliance scope but are very complex to build to satisfy all the NIST 800-171, CMMC, and other compliance program requirements.
Compliance Island Enclaves
Before we get into what it takes to build your own enclave, I want to talk about our ready-to-deploy enclave solution, Compliance Island. In addition to learning about our offering, you’ll pick up some ideas should you decide to build your own enclave.
As you’ll see in a moment, a lot goes into building an enclave that satisfies all the NIST 800-171 and CMMC Level 3 requirements. With that challenge in mind, we thought a ready-to-deploy, off-the-shelf solution would be of great benefit to many organizations. Standardized enough to keep costs down but flexible enough to meet varying contract requirements, we think Compliance Island will meet the needs of most contractors. Where it doesn’t we’ll be happy to say so and point you to other firms that might better suit your unique situation.
With Compliance Island, compliance scope is limited to the Compliance Island solution, which is already compliant, fully documented, and, for CMMC Level 3, includes compliance services like risk, change, and incident management. Scope on your local system is limited to the devices you use to access Compliance Island and they only need to meet the simple requirements of FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, which you probably do already.
Access to Compliance Island is via a secure Remote Desktop session, either through an app installed on your device or web browser. Communication between your device is always secured via TLS encryption. No CUI or FCI data is ever kept on your device.
Inside Compliance Island, you interact with a familiar Windows 10 desktop where all the applications, such as Microsoft Office 365, your organization needs to meet it’s contract requirements are installed. Email, OneDrive, and Teams are available and secured, with email encryption enabled by default.
Add-ons include: Linux, graphics, and developer workstations; high-performance compute; application servers; and most Microsoft Azure services. For these add-ons, you’ll treat your Compliance Island Windows 10 Desktop as a “jump box”. This approach provides an extra layer of security, reduces risk, and simplifies the compliance process greatly.
How to Build a CMMC Enclave
Designing and building a basic enclave isn’t hard but when you need to meet CMMC requirements, things change. A lot.
Without CMMC requirements, it’s simple to build an enclave: simply sign up for Windows 365 Business and call it a day. Unfortunately, a basic solution like that won’t satisfy your compliance requirements.
Windows 365 Enterprise gets you closer but it’s just a starting point and not a full ready-to-deploy solution. Compliance Island uses the same underlying Azure Virtual Desktop solution but builds out all the features and components needed to meet CMMC requirements.
Below are the key CMMC technology areas that will need to be addressed for your CMMC enclave. This is by no means a complete list but it’ll give you a starting point:
- Physical Locations
- Everywhere you store, process, or transmit FCI/CUI
- Private Data Centers
- Cloud Providers (must meet FedRAMP Medium Baseline or FedRAMP High Baseline for export controlled CUI)
- Remote device / workstation locations
- Mobile Devices
- Disks and Storage Systems
- Removable Media
- Files, Databases, and Logs
- Operating Systems
- Email (with encryption e.g. S/MIME)
- Collaboration / File Sharing
- Productivity and Other Applications
- Malware and Device Security Software
- VPN / Remote Access
- Data at Rest
- Data in Transit
- Certificate and Key Management
- Authentication and Authorization
- Multi-factor Authentication
- Logs (with increase logging detail and long retention periods)
- Security Incident and Event Management (SIEM)
- Intrusion Prevention / DDoS Protection / etc.
- Disaster Recovery
- Automated Backup / Restore
There are thousands of details that are needed to build out a CMMC compliant solution, regardless of whether you’re building your own enclave or trying to bring your current environment into compliance. To put your level of effort into perspective, know that we’ve invested thousands of hours architecting, developing, and documenting Compliance Island using an experienced expert team and heavily leveraging Microsoft Office 365 and Azure.
Hopefully you can see why we built Compliance Island and why we say that it’s the easy way to CMMC compliance.