Many industries have regulations that govern how sensitive information is stored, processed, and transmitted. On the top of that list is government contractors working with the Department of Defense. DFARS (Defense Federal Acquisitions Regulation Supplement) and the CMMC (Cyber Security Maturity Model). They have the awesome burden of protecting data that contributes directly to our nation’s security. Many businesses have realized that limiting or focusing the concentration of CUI (Controlled Unclassified Information) onto a specific enclave which is separated off the corporate network, could greatly lessen the scope of what a CMMC or DFARS auditor needs to look at and possibly keep costs down. To be clear, if CUI is scattered all over your networked assets, then they are all in the scope of what needs to be assessed. However, there are times when creating an island and placing the CUI on that island makes sense.
There are some pros and cons to trying to isolate this data and even providing this enclave may not satisfy all requirements. If you are building an enclave, you must first identify all CUI data on your networked assets. Then create the digital assets that are needed to house that data. These assets can be on premise or on the cloud with the right settings and protections in place. Then put access limits in place for the data on the island. It can be quite a task finding all CUI data that is on your network and moving it onto this enclave, but alas that will need to be done. So, plan for that migration of key data with your staff. Now you have a much smaller footprint with potentially less people having access to it thus limiting the risk. This will need to be separate from your corporate network through a VLAN scenario, this setup might require you to use a separate set of firewalls, routers, or switches too.
There is no one way to achieve compliance with DFARS or CMMC regulations and controls, there are many ways of getting there, this is simply one idea that may help. We are a proud RPO (Registered Provider Organization) employing several Registered Practitioners. F1 Solutions can help with your DFARS and CMMC certification. Contact us today for Help.
F1 Solutions: https://www.f1networks.com/
Jennifer VanderWier/CISO
