October 20, 2022

Last Updated on January 12, 2024

DIB Orgs: Here are Answers to Your Top CMMC Encryption and MFA Questions

The buzz around the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is building as the DoD has begun checking NIST 800-171 compliance self-assessment scores in its Supplier Performance Risk System (SPRS) database. And with CMMC compliance requirements likely to start showing up in DoD contracts by July 2023, Prime contractors are also putting more pressure on subs to demonstrate NIST 800-171 compliance now.

For defense industrial base (DIB) orgs with CMMC questions, now is the time to get answers. To that end, a recent episode of The Virtual CISO Podcast features a fast-paced Q&A with George Perezdiaz, Pivot Point Security’s Federal Risk practice lead and one of the top CMMC experts out there.

This post shares quick answers to top questions around encryption and MFA for CMMC compliance.

 

Do I need end-to-end encryption for my CUI?

Many DIB orgs are concerned that CMMC Level 2 requires end-to-end encryption for CUI.

As George reassures, there is nothing in NIST 800-171 or the DFARS clauses that mandates end-to-end encryption for CUI across the board. The basic requirements are to encrypt CUI in transit and at rest, but not during use.

However, in certain use cases, such as with International Traffic in Arms Regulations (ITAR) data, end-to-end encryption is a requirement. As always, you should understand your contracts and your data thoroughly before implementing controls.

 

Can I put encrypted CUI on a non FedRAMP Moderate equivalent SaaS or CSP system?

The requirement to use only cloud services with a FedRAMP Moderate ATO for CUI is not popular, judging from all the questions that relate to getting around it. But even George acknowledges that “encrypted CUI” is a little bit tricky.

“Encrypting CUI does not mean that it is not CUI anymore, right?” George states. “It still remains CUI the way I understand it. Putting a password on something doesn’t make it not CUI. And if we go back to the requirement from DFARS 7012, if you are using a cloud service provider to process, store, or transmit CUI, then that cloud service provider has to be FedRAMP Moderate or equivalent.”

In short, err on the side of caution and make sure your “container” is authorized and approved to handle the sensitivity of the data that you’re putting in it.

 

Do my CUI backups need to be FIPS validated?

This is another question with an “it depends” answer. Owing to the fact that NIST 800-171 often gives orgs the flexibility to define and design controls according to their specific CUI environment.

“So, that one requirement actually says something like, ‘Protect the confidentiality of CUI in backup locations,’” relates George. “It’s not explicitly saying that you must encrypt the backup. If it said to encrypt the backup, then that would mean that the encryption has to be FIPS validated or NSAA approved. But because it’s saying just protect the confidentiality, that means you have the flexibility to use encryption and/or alternative physical security controls.”

 

Why, when and where do I need multi-factor authentication for CMMC?

Here is another case where it’s important to understand your overall CUI environment before implementing controls.

For example, you wouldn’t want to implement MFA in front of your GCC High cloud tenant where you’re storing CUI, but neglect to put it in front of the process where you’re storing CUI on your desktop or laptop. You’ll likely need to put MFA in multiple “layers” of your environment to thoroughly protect CUI.

“That’s why it’s very important for organizations to sit down and slow down and look and how and where is my CUI going to traverse and travel and interact,” George advises. “Because you want to make sure that you do it correctly. Most likely you’ll need MFA at the endpoint, at the edge, before you get to the operating system. And likely you’ll need it with the VPN if you have a VPN, or before you get to the container that has your CUI.”

“Really, you should get the System Security Plan (SSP) complete and understand where your CUI lives before you start purchasing anything,” John summarizes.

 

What’s next?

To listen to this special CMMC Q&A podcast with George Perezdiaz, click here.

Have you checked out the CyberAB’s CMMC assessment guidance? Here’s a blog post on how to leverage it: Making the Most of the CMMC Assessment Guidance from the CyberAB