If you’re a defense contractor and have the DFARS 252.204-7012 clause in your contract, you have some important decisions to make. This clause stipulates you must safeguard covered defense information (CDI) and report cyber incidents. To comply, you’ll need a secure solution, but most businesses struggle to understand the differences between GovCloud, Secure File Transfer, and a CUI enclave.
The two primary solutions that can help protect CUI are CUI enclaves and GovClouds, such as Microsoft’s GCC High, Amazon Web Services’ (AWS) GovCloud, or Google’s GovCloud. While these approaches will help you comply with specific security requirements, there are many differences between each.
The third option is a secure file transfer solution. However, there are major differences you should be aware of with this type of solution as well. Here we take a look at these three options to help you decide which is best for your needs.
What is a Service-Managed CUI Enclave?
A CUI enclave is a separate secure environment used for work associated with your defense contract. Any access to sensitive information within the enclave is strictly managed and monitored to ensure CUI is always protected from unauthorized access or disclosure.
The biggest benefit of a CUI enclave, if built and managed correctly, is that it limits the scope of your organization against the requirements of NIST. In particular, a service-managed CUI enclave is an environment fully managed by a third party, keeping sensitive data like CUI from being accessed, stored or transmitted by unauthorized people, places and technology. Some CUI enclaves are pre-configured and ready to go with no setup required from the user/customer, making this solution more seamless, efficient and cost-effective. And since you won’t be managing/administering the environment yourself, this reduces the overall amount of controls and assessment objectives you need to put in place for NIST and CMMC compliance.
With most CUI enclaves, such as Cuick Trac, you’ll receive a list of defined responsibilities called a Shared Responsibility Matrix (SRM), which is necessary to pass an assessment and provides clear guidance on who is responsible for each of the 320 assessment objectives.
Larger, more complex IT environments may not find a service-managed CUI enclave to be the ideal solution since it has less flexibility for user workflows. Data, such as CUI, can only be stored, accessed and transmitted in certain ways to maintain compliance, which could be problematic for large companies.
What is a GovCloud?
To help DoD contractors meet government data security requirements, technology companies such as Microsoft, AWS and Google designed Software as a Service (SaaS) and Platform as a Service (PaaS) cloud platforms on a segmented cloud infrastructure to meet government data security requirements.
These cloud-based services can be deployed in different ways and can be managed internally or by outsourced third parties. One major difference between a GovCloud deployment and a pre-configured CUI enclave is that each GovCloud environment is typically configured to each customer’s specific needs, and oftentimes is left for the customer to manage.
This approach can cause issues with the Shared Responsibility Matrix when responsibilities are defined. In addition, creating and maintaining compliance documentation for an environment/infrastructure that is unique for each deployment becomes time-consuming and costly.
GovCloud environments can also cost much more because of the inherited requirements of DFARS 252.204-7012. Not all GovClouds can claim DFARS 7012 compliance since CUI needs to be stored within their cloud infrastructure to meet the 72-hour reporting requirements in the event of a breach.
Isn’t a GovCloud environment a CUI enclave?
There’s one major difference between GovCloud and CUI enclaves: who manages the data. GovClouds are often built for the customer to manage. You’ll have total control and overall responsibility for most of the environment. To some companies, especially those with the resources and an in-house compliance team, this is ideal.
However, managing the entire CUI environment also means being responsible for ensuring the environment is and remains compliant with the 320 assessment objectives of NIST SP 800-171A. This requires in-depth expertise and knowledge from a designated team of compliance experts.
To ensure there aren’t any gaps in the requirements, most companies also purchase additional consultative services. This is the only way to be confident you’ll pass an assessment.
What is a Secure File Transfer?
A secure file transfer securely sends digital data from one location to another so the integrity of the data remains intact. For example, if a subcontractor sends CUI data to a prime customer, that data needs to be sent not just in a secure way, but also must be compliant with the DoD’s standards, specifically NIST SP 800-171.
Some third parties offer a secure file transfer solution that sends CUI from your physical computer through their environment to the recipient. This secure environment would comply with some of the NIST requirements, such as FIPS-validated cryptography 3.13.11. However, a secure file transfer solution by itself does not comply with most of the NIST requirements. If you used a secure file transfer solution only, you’d need to ensure the rest of your environment is compliant as well (such as storage and access control).
A secure file transfer platform works well for companies that already have a compliant environment but cannot securely send data electronically If, however, you are looking for a solution that will help you comply with most if not all NIST requirements, a secure file transfer platform might not be right for you.
Questions to Ask
The important thing to remember when selecting a secure environment is finding the solution that works for your company. Here are some questions to ask before you decide:
- Do you handle CUI and also have the DFARS 7012 clause in your defense contract? If you answered yes to both, you need a compliant GovCloud or CUI enclave.
- Do you have a large and complex IT environment? If yes, a GovCloud capable of meeting DFARS 7012 may be your best solution. If not, a GovCloud will be an overly complicated and expensive solution for your needs.
- Do you have internal resources to handle and manage a compliant environment? If not, then a service-managed CUI enclave would be an ideal solution.
- Is your environment already NIST SP 800-171 and DFARS 7012 compliant but you simply need a means to securely send CUI data? If yes, a secure file transfer solution might be the last missing piece you need.