Enclaves for NIST 800-171 Compliance & CMMC? Not So Fast: 5 Things To be Aware of When Considering an Enclave Solution
In your quest as a Defense Industrial Base (DIB) contractor to tackle the intricate aspects of NIST 800-171 and CMMC compliance, you’ve likely been bombarded with a plethora of marketing claims promising swift, ‘silver bullet’ compliance solutions alleviating your woes. This is understandably enticing for small to medium-sized DIBs grappling between successfully addressing the complex layers of these extensive compliance prerequisites and the cost of implementing them. However, many DIBS ultimately find themselves caught in the web of misleading, irresponsible marketing tactics that overstate the capabilities of their solutions and sell the dream of a foolproof, plug and play solution, that in reality, paves the road to non-compliance with NIST 800-171 and CMMC, which can be a massive risk for DIB contractors.
Our mission today is not only to expose these challenges but also to arm you with the right questions that will assist you in navigating this labyrinth. Probing your enclave solution provider with these queries will help you ascertain whether you’re on the right path and will also aid in mitigating the risk of misrepresenting your compliance status. In particular, we will be exploring what are often called “Enclave Solutions”, also known as isolated enclaves or secure enclaves.
What is an Enclave Solution & How Does It Fit into the CMMC Landscape?
An enclave, in information security, is a fortified section of a network. It serves as a tightly controlled space for handling sensitive data, effectively granting access to authorized users while barring the unapproved. When compared with traditional compliance strategies, enclave solutions shine for their focused, cost-effective approach. They are especially valuable for SMBs whose operations in defense-related domains or systems containing Controlled Unclassified Information (CUI) are limited.
In essence, enclave solutions can serve as an effective mechanism addressing many CMMC controls, by providing a “network within a network” for handling sensitive data. However, to make a well-informed decision, it’s vital to delve into a series of key considerations that could make or break your compliance strategy.
Key Questions to Ask Yourself and Your Teams:
As you consider the potential implementation of an enclave solution to address your NIST 800-171 and CMMC compliance requirements, it’s crucial to take a step back and ask yourself a series of reflective questions, that will provide vital insights into whether an enclave strategy aligns with your current and future needs:
- Where Does My Information Reside: Individual Computers or the Cloud?
Reflect on the nature of your work. Is your team handling sensitive information on their individual devices, or is access predominantly via the cloud? The answer to this question can shed light on the importance of endpoint security within your organization, and if your team frequently uses individual devices to handle sensitive information, a robust endpoint security solution will be paramount to maintaining compliance and protecting your network. Remember that in the vast majority of cases, endpoints that access CUI are in scope, even when accessing data hosted externally.
- Where Do I Stand: Sharing Risk or Owning It?
Next, consider your stance on risk ownership. Implementing an enclave solution means placing a portion of your organization’s security in the hands of your provider which introduces the element of shared risk. Are you comfortable with this, or would you prefer to maintain full control over your risk management? Remember, a detailed Responsibility Matrix can aid in understanding the division of risk and responsibilities between you and your provider.
- What is My Current Data Handling and Storage Strategy, and What Do I Want for the Future?
Take stock of how you’re currently handling and storing sensitive data. Are you satisfied with the security measures in place? How do you envision this process in the future? If your current measures lack robust security or you aspire to a more secure data handling strategy, an enclave solution might provide the secure space for handling sensitive data that you’re seeking.
The answers to these three questions should provide you with valuable information that can help inform your decisions going forward. It’s important to understand your unique needs, so that you don’t spend critical time and effort implementing a solution that ends up not being a good fit.
The 5 Questions to Use When Evaluating An Enclave Solution
So, you have found a few providers that look like they could be a fit. This is where things can get muddy quickly, and where you will start to see claims that promise a whole lot, for little cost or effort. Unfortunately claims like, “solves for 85% of NIST 800-171 controls” and “become ITAR compliant in less than a week”, are often misleading and don’t tell the whole story. TSI has invested countless hours reviewing dozens of products aimed at DIB contractors, and to date, we have seen many claims and have yet to find a single, silver-bullet solution that “solves” CMMC. The fact is, that no such solutions exist, and that to truly achieve the CMMC standards, it will require developing a mature cybersecurity program that accurately keeps in consideration and complements the organization’s unique operational model, compliance obligations and tolerance to risk.
All is not lost though… the fact is that enclave solutions can be a great fit for many organizations. With features like end-to-end encryption, compliant and secure cloud hosting, and well thought out architecture, many enclave solutions can be a key support element for building the robust cybersecurity program that CMMC requires. Armed with that knowledge, here are five critical questions to ask your prospective enclave solution providers to clarify whether their solution is the right fit for your needs and will meet your expectations:
- What Does “Address” vs “Fulfill” vs “Satisfy” vs “Complete” Mean in the Context of Your Solution?
In the world of CMMC, claims of solutions “addressing,” “fulfilling,” “satisfying,” or “completing” the majority of NIST 800-171/CMMC controls are commonplace. However, these terms can often be ambiguous or misleading. Again, we have not found a single solution to date that singlehandedly “fulfills” a control, as the vast majority of solutions rather “support” the fulfillment of a control. This places the onus on you, the customer, to ensure the solution is implemented correctly, and that it fulfills the control requirements which will also be needed when you’re developing CMMC-ready policies or documentation and end-user training program. When these claims appear, seek clarification to fully understand the meaning of each term, particularly if they purport to fulfill, satisfy, address, or complete a substantial number of the 100+ NIST 800-171/CMMC requirements.
2.Where Is Your Enclave Hosted?
If your organization has certain CUI specified handling requirements or ITAR export controls, knowing the location of your enclave’s hosting is critical. Ignoring this key consideration can lead to non-compliance, particularly if your data could be accessible to non-US persons, including provider support personnel. Be certain that your provider offers a clear and satisfactory response that includes a description of data residency and controls for data privacy and access.
3. Do You Offer a Detailed CMMC/NIST Control Responsibility Matrix?
Ask your prospective provider to differentiate between the controls their solution fully addresses (fulfills/satisfies) and those it only partially covers (support) by requesting a detailed Control Responsibility Matrix. This document should explicitly indicate which controls their solution fully satisfies and which are only supported. For example, does the solution provide for or require endpoint security configuration to be compliant? If you work with a Registered Provider Organization (RPO), ask them to help clarify any semantics that might inadvertently impact your compliance strategy.
4. What Endpoints or Systems Are Considered in Scope for CMMC in Your Solution?
Understanding the scope of systems covered by a provider’s solution is crucial, as all devices connecting to your network fall under CMMC controls in one way or another. This includes everything from personal laptops, servers and mobile devices. A comprehensive enclave solution should offer solid guidance for endpoint security, accounting for all potential devices. They should also provide a data-flow diagram (or similar) that clearly defines where data is stored at any given time, and what devices can access it.
5. Is Your Hosted Enclave Solution FedRAMP Moderate Compliant?
Compliance with FedRAMP Moderate standards is a significant indicator of a provider’s commitment to security, but it is also required when using a cloud service provider (CSP) when storing or transmitting CUI. The FedRAMP Moderate designation shows that a CSP successfully implemented a substantial number of security controls, which are crucial for handling sensitive government data and that they’ve been assessed by a 3rd party for control validation. Furthermore, to comply with ITAR’s stringent standards, providers must also demonstrate additional control requirements when dealing with ITAR-regulated data to claim they support ITAR compliance. Ensuring your provider’s compliance with these standards is critical to ensuring your cloud solutions aren’t causing a gap in your compliance posture.
Equipped with these five pivotal questions, you are now ready to effectively appraise prospective enclave solution providers but remember that the objective is not to find a “magic bullet” solution (because none exists!), but to identify a provider that truly understands your needs and can offer a strategy tailored to your unique compliance journey.
How can TSI assist with evaluating a prospective enclave solution?
As a CMMC RPO, TSI is continuously evaluating the landscape of security solution providers, especially those specifically oriented to DIB organizations. If you have found a solution provider you think may fit for your organization, there is a very good chance we have already evaluated their suitability and functionality, so before signing a contract or purchasing a solution, we highly recommend you hold off so you can verify their suitability. We would love to provide you with the knowledge we have already acquired to save you time and hopefully keep you from spending money on a solution that either won’t meet your needs or would not fully support your unique compliance requirements. We understand that this process can be complex, and you are likely feeling the pressure to move forward with a solution, but please keep in mind we’re here to help and have the experience and expertise to help you.
TSI is 34-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers complete NIST 800-171 and CMMC support services to ensure their clients’ sustainable adherence to these expansive compliance requirements. Our team has decades of experience navigating the pitfalls of NIST compliance and would love to help you on your journey. For more information about TSI, please visit our site here: https://tsisupport.com/
Cybersecurity and Compliance Manager
Chris Riani joined TSI in 2021, and currently serves as our Cybersecurity and Compliance Manager. Chris has over a decade of experience in IT, with most of his time spent managing and protecting critical IT environments within the DoD and the private sector. A ten-year Air Force Veteran, his background includes Application Administration, Networking, and Systems Design, as well as Virtualization and Cloud Security.
Chris is a graduate of Champlain College in Vermont, where he studied a wide variety of technology and security focused topics. He holds numerous IT and security certifications, such as CompTIA’s CASP+ and is also a CISSP. It comes as no surprise that Chris’s true passion is bridging the gap between operational IT requirements and information security.
Outside of work, Chris enjoys coaching soccer, spending time with his family, and playing the guitar.