How to Protect CUI – You Have Options

With the recently published CMMC Proposed Rule, it’s important to know how to protect CUI in your environment. Defense contractors with a DFARS 252.204-7012 contract clause must ensure compliance with the requirements of NIST SP 800-171. Without it, you run the risk of losing contracts, facing fines, and damaging your company’s reputation.

An ideal way to protect CUI is with an enclave—a separate secure environment that protects any processed or stored data from unauthorized access or disclosure. The information contained within an enclave is protected by cryptographic controls, and all activity is logged and monitored to detect any unauthorized access or security incidents.

LEARN MORE: CUI Enclaves – Understanding their role in protecting Controlled Unclassified Information

There are several ways to begin using an enclave to protect CUI, and we dive into the aspects of each below.

MSP-Built Enclave

An MSP (Managed Service Provider) is a company that provides IT services and support to another business. MSPs fill the gap for businesses that cannot afford onsite IT support. They provide remote and ongoing support to suit the needs of each business and are quite beneficial for small to medium-sized businesses.

If you use an MSP for hardware, software, and network support, you may be tempted to reach out to them to build a separate network for handling CUI. Your MSP may even claim to be able to do this. However, there are many risks in this approach.   

The Risks of Using an MSP to Build a CUI Enclave

  1. Building a separate, managed, CUI environment can drastically increase costs if your MSP doesn’t specialize in CUI enclaving.
  2. Many MSPs are not NIST SP 800-171 or CMMC experts, which means there may be gaps in your compliance and this could result in a failed assessment.
  3. If your MSP doesn’t offer a Shared Responsibility Matrix, you may hold the responsibility for controls even if you’re under the impression it’s the MSP’s responsibility.
  4. A custom-built CUI enclave can become overly complex. Besides building a secure environment, your MSP must consider where the data is stored and processed, and how it’s protected at each stage.

DIY CUI Enclave

If you have the internal resources and expertise, building and managing a CUI enclave is a possibility. But just like using an MSP, this approach introduces a variety of risks.

The Risks of Building Your Own CUI Enclave

  1. Costs can quickly increase with this approach. Additional hardware and software, not to mention the full-time employees needed to build and manage the enclave, must be part of your budget.  
  2. Building a CUI enclave is complicated. Identifying scope, segmenting the people and assets that will handle CUI, building a separate and secure environment with the proper settings and protections, documenting policies, procedures, and standards, and migrating data all require the skills of highly trained CUI experts.
  3. The duties between IT and security must be clearly separated, meaning one person can’t build and manage everything for your organization.
  4. Your CUI enclave must meet the 320 assessment objectives in NIST SP 800-171A.
  5. Like the MSP route, without a dedicated compliance expert, you could experience a failed third-party assessment.

Pre-Built CUI Enclave

A pre-built CUI enclave, such as Cuick Trac, can alleviate much of the extra costs and risks associated with an MSP-built or DIY enclave. This approach does not replace your IT department or MSP; rather they work alongside your current team to limit any impact to your day-to-day operations. 

Cuick Trac is a pre-built, privately hosted and managed CUI enclave backed by a team of NIST and CMMC compliance specialists. Cuick Trac was designed to help small to medium-sized defense contractors comply with current cybersecurity requirements.

MSP-built, DIY or Pre-built?

It is essential to protect CUI the right way. To ensure you’re meeting all the NIST SP 800-171 requirements, ask yourself (or your MSP) these questions:

  1. Do I have the internal resources in-house to build a CUI enclave?
  2. Do I (or my MSP) have the necessary expert knowledge required?  
  3. Does my MSP have compliance experts that will ensure we pass an assessment?
  4. Does my MSP offer an Shared Responsibility Matrix that documents who is responsible for each of the 320 controls?
  5. Does my MSP provide a clear CUI data boundary and defined scope?
  6. How will my MSP meet the monitoring, logging and reporting requirements?
  7. Is my MSP giving me actual costs or are there hidden fees coming later?

Learn how Cuick Trac’s enclave is the most affordable and practical way to fully segment CUI off your network in a quick demo with our security experts.   

Cuick Trac helps defense contractors satisfy all of the technical controls for NIST SP 800-171 and CMMC Level 2. Learn how with a free 30-minute demo today!

Part of the most relevant industry groups and committees

department of defense badge
ndia partnership badge
cmmc certification badge
defense alliance badge
infragard partnership badge

Get a 30-minute demo from a Cuick Trac product expert

You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

Schedule a quick product tour

See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.