January 18, 2022
For any contractor storing or transporting Controlled Unclassified Information (CUI), CMMC 2.0 Level 2 will be mandatory. Level 2 compliance can, unfortunately, be somewhat difficult and costly to achieve. DoD contractors with only FCI, or Federal Contract Information, will typically only need to achieve CMMC 2.0 Level 1. This level only requires 17 practices, and written policies are not required. Meanwhile, Level 2 has extensive requirements and mirrors the 110 controls present in NIST 800-171.
So how do you meet Level 2 while dealing with all those extra costs? This is where an enclave solution comes into the picture.
Using an Enclave for CMMC 2.0 Level 2
In our opinion, an enclave is not necessary for CMMC 2.0 Level 1 unless the contractor has an expectation of needing CMMC Level 2 compliance in the future. However, Level 2 is a whole different ball game. The challenges of CMMC 2.0 Level 2 can be compounded if a large, messy, legacy network and computing environment is present. These challenges can also multiply if the entire environment is within the scope of a CMMC 2.0 Level 2 assessment.
Thankfully, there is a solution.
It is possible to limit the scope of a third-party assessment or self-assessment to a CMMC 2.0 enclave or isolated portion of the network. The enclave is typically hosted in a major cloud provider. In fact, NIST’s scoping guidance for the CUI environment states “Isolating CUI into its own security domain by applying architectural design concepts may be the most cost-effective and efficient approach for non-federal organizations to satisfy the security requirements and protect the confidentiality of CUI.”
What this means is, basically, as long as the CUI is kept in the enclave, the assessment scope can be limited to the enclave, and only the enclave would need to be certified CMMC 2.0 Level 2. Of course, the enclave itself must comply with CMMC 2.0 Level 2 practices.
Rimstorm GovCon EnclaveTM
Since the enclave itself must fully comply with CMMC 2.0 Level 2 practices, extensive security controls must be in place. The technical security controls typically include, but are not limited to, IDS/IPS, SIEM, Vulnerability Assessment Scans, Logging, Firewall, SOC, CMVP-Validated Encryption and Incident Reporting.
So, even the enclave can be difficult to implement and costly. Or is it? Rimstorm has an excellent solution for implementing a cost-effective and simplified enclave. Our solution is called GovCon EnclaveTM.
Rimstorm GovCon Enclave™ is a secure, encrypted environment that safely stores FCI and CUI. It provides a covert, adaptable enclave that can either be permanently deployed or it can be created and destroyed on a per-contract basis. The comprehensive feature set includes:
- The core encrypted enclave
- A compliance engine that allows for the creation
- Maintenance and enforcement of policies
- Extensive access control features including private certificates and private DNS
- A managed SIEM with SOC support
- Incident alerting and reporting
- A sophisticated IDS to detect threats
- Training with on-going workshops to ensure you maintain your compliance
For more information on our CMMC 2.0 enclave solution, contact us today. Rapid implementation and ongoing support makes Rimstorm GovCon Enclave™ the obvious choice for DIB contractors handling Controlled Unclassified Information (CUI).