At Redspin, we advise organizations seeking certification to: Clearly define the boundaries dictating where CUI is stored, processed, and exchanged.
You can’t adequately protect data without knowing where it lives and breathes and defining these boundaries that indicate where CUI is stored, processed, and exchanged will ease the assessment process as well as ensure your organization’s CUI is protected. As an organization seeking a Level 3 assessment ourselves, Redspin designed its secure enclave using a zero-trust perspective to isolate CUI from the rest of the company. This was accomplished using Microsoft 365 Government (Microsoft GCC-High) and Microsoft VDI as the foundation for implementing a secure enclave that meets CMMC Level 3 requirements.
The GCC-High Relationship + Requirements
While GCC-High is not required for any CMMC maturity level, it is highly recommended that GCC-High be incorporated into the design of the CUI secure enclave for those organizations seeking certification for CMMC Level 3 or higher.
There are three versions of the Microsoft platform:
All versions will meet CMMC and standard NIST SP 800-171 requirements. However, GCC-High is a requirement for those who must meet the ITAR regulation, and it ensures the support personnel are US-Based. Additionally, the use of GCC-High provides access to Azure Government rather than Azure Commercial, which provides added functionality which provides additional functionality to meet the strict CMMC requirements. And finally, when considering the longer term, there may be a time that GCC-High, as one solution, might be required.
What is VDI?
Virtual desktop infrastructure (VDI) is, as its name implies, a virtual desktop/computer environment that runs within a software environment called a hypervisor, on a central server. These virtual desktop environments can be accessed by users using a range of methods including web browsers, software-based VDI clients, or hardware-based VDI clients, depending on the specific requirements of the organization. Configured correctly, this will allow the user to see and manipulate data without the ability to locally store or print the information. Sensitive data is only stored within the central server(s) being connected to by the VDI through the VMs. For CMMC, this becomes key as remote users will still have access to view CUI data while not having CUI data on their devices which can expand an organization’s overall CMMC scope.
Design and implementation Lessons Learned
Redspin took a zero-trust approach when designing the environment. Utilizing a combination of technical and administrative controls, the environment was able to be “locked down” to only the access and communication required for operational necessity. Baselining the environment as much as possible on several DoD and DISA implementation requirements, coupled with the use of a FedRamp approved solution backup, allowed Redspin to benchmark against a number of more stringent control requirements.
Through the utilization of the GCC-High and VDI, Redspin was able to create a self-contained enclave that limits access to only those with a valid need-to-know. In doing so, it provides an additional layer of protection and portability. Through protection, if a physical access device is lost, then the data is still protected as it is not able to be pulled directly from the enclave. Additionally, through this implementation, it allows for not only the physical device to be “bricked” if lost, but the specific VDI assigned to a particular user to be disabled. One of the concerns CMMC identifies is the protection of CUI data when utilizing mobile devices. Through the use of GCC-High and VDI, the ability to not only lock down what specific mobile apps are allowed access, but also the assurance that if a web browser is utilized on a mobile device to access the enclave, the same protection mechanisms are still enforced.
How Redspin can help >>
If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.