Cybersecurity risk correlates to information, and the most common unit of information is a file. Advanced file-level encryption solutions seek to put an unbreakable cryptographic lock on each file to shield its contents from unauthorized access in the event of a data breach or device theft.
For defense manufacturers and other organizations that must protect controlled unclassified information (CUI) and other sensitive data to participate in US Department of Defense (DoD) contracts, encryption is foundational to compliance with the DoD’s cybersecurity requirements, notably the Cybersecurity Maturity Model Certification (CMMC) framework.
This article explains in business terms how advanced file-level encryption works and how it can provide robust data protection that meets CMMC/NIST 800-171 requirements for safeguarding CUI.
Key takeaways
- Advanced file-level security protects data by encrypting individual files. Without its unique decryption key, an encrypted file’s contents are indecipherable and meaningless even if stolen by hackers.
- Advanced file-level security solutions support CMMC compliance by making it significantly easier for defense contractors operationalize required encryption-based controls.
- Besides improved cybersecurity and CMMC compliance, advanced file-level security solutions can offer a range of additional business benefits, including reduced IT complexity, an enhanced user experience, and alignment with zero trust initiatives.
What is advanced file-level security and how is it different from traditional security models?
Traditional, perimeter-based cybersecurity approaches are akin to a castle surrounded by a moat, with thick walls, strong doors, and big locks on the doors and windows. The basic goal is to prevent data loss by keeping unauthorized entities outside the castle perimeter. But when traditional access controls fail, such as through credential theft or an insider threat, sensitive data is often vulnerable.
With advanced file-level security, data is protected by encryption at the file level. Without its unique decryption key, an encrypted file’s contents are rendered indecipherable and meaningless even if stolen. This highly effective data protection approach prevents data loss or exfiltration from ransomware attacks, unauthorized access, and even human error scenarios.
A unified file-level security solution can keep data encrypted whether at rest on a storage medium (e.g., a phone, a laptop, the cloud, a shared drive), in transit over a network, or in use by an application. As long as the associated decryption key is safe, the file is safe. This is consistent with “zero trust” assumptions that threat actors are active on the network at all times.
Other security controls/capabilities that advanced file-level encryption solutions may offer include:
- The solution provider can never access customer data. Only the customer can access their data, because only they have the decryption keys.
- The solution provider does not store customer data—it resides with the customer. For example, the cloud-based software only stores a small identifier that references each file.
- The solution allows customers to roll back encryption and decrypt data throughout their environment quickly and easily.
- The encryption is military grade and meets National Institute of Standards and Technology (NIST) and DoD requirements.
For advanced file-level encryption to meet business needs, users must be able to open and interact with files using the native applications that created them, without delays and extra steps. This can include CAD files, design specifications, voicemails, emails, spreadsheets, and so on.
Identity and access controls are transparent to authorized users. The solution may even enable secure document sharing with partners—simplifying CMMC flowdown requirements for subcontractors. In effect, the solution creates a CUI enclave that third parties can securely access in a read-only mode, for example, with no ability to copy or download the CUI.
What encryption protection does CMMC require for CUI and how can file-level encryption help?
CMMC mandates encryption to protect CUI and other covered defense information (CDI) as it is accessed by users and applications, moves across networks and cloud environments, or is stored on digital media. Encrypting sensitive data renders it useless to hackers and other unauthorized entities, which reduces or eliminates the impacts of data breaches, espionage, and advanced persistent threats. Even if threat actors manage to steal data, without the required decryption keys they cannot even view it.
But not all encryption algorithms are created equal. NIST 800-171 and CMMC require FIPS 140-2 or FIPS 140-3 validated cryptographic protections within all products and systems that transmit, store, and/or process CUI. Specifically, NIST 800-171 Rev. 2, which defines the controls for protecting CUI at CMMC Level 2, mandates using a FIPS Validated Advanced Encryption Standard (AES)-256 algorithm. Advanced file-level encryption software should transparently meet these requirements to eliminate compliance risks.
Various CMMC domains include encryption requirements, including Access Control, Identification & Authentication, Media Protection, and System & Communications Protection. Specific controls within these domains that reference encryption include:
| CMMC Level 2/NIST 800-171 control | Encryption guidance |
| AC.3.3.13 | Employ cryptographic mechanisms to protect the
confidentiality of remote access sessions. |
| AC.3.1.17 | Protect wireless access using authentication and encryption. |
| AC.3.1.19 | Encrypt CUI on mobile devices and mobile computing
platforms. |
| IA.3.5.10 | Store and transmit only cryptographically protected passwords. |
| MP.3.8.6 | Implement cryptographic mechanisms to protect the
confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
| SC.3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
| SC.3.13.11 | Employ FIPS Validated cryptography when used to protect the confidentiality of CUI. |
| SC.3.13.16 | Protect the confidentiality and integrity of CUI at rest. |
To secure communication channels for transmitting CUI, Transport Layer Security (TLS) is a commonly used encryption standard that meets CMMC requirements. The S/MIME and PGP encryption algorithms can be used to sign and encrypt emails.
Advanced file-level encryption solutions may use these or other compliant encryption algorithms. These solutions also generally provide a robust key management system to help organizations securely manage their encryption keys. Best-practice identity and access controls are also critical to limit who can decrypt and access sensitive data.
What are the business benefits of advanced file-level encryption (besides robust cybersecurity and CMMC compliance)?
Advanced file-level encryption’s primary benefits for defense contractors are improved data protection capabilities and streamlined CMMC compliance and reporting. Additional benefits include:
- Balancing cybersecurity and user experience. Some encryption solutions can increase business process complexity and reduce productivity. Today’s top file-level encryption offerings are transparent to users and can be implemented or rolled back quickly. Staff can collaborate, share, and process files without compromising security.
- Minimizing system resource impacts. Traditional file encryption processes may demand substantial computing power, potentially leading to performance, capacity, and reliability impacts on key systems. Leading file-level encryption tools are designed to scale to billions of files with minimal latency to avoid disrupting IT and business operations.
- Smaller CMMC scope. In a properly configured CMMC environment, only authorized devices and users can decrypt encrypted files. Therefore, unauthorized entities are not categorized as CUI assets. This results in a smaller CMMC enclave.
- Reduced IT cost and complexity to protect CUI. With advanced file-level encryption, each CUI document is always protected wherever it is. This can potentially reduce the need for network or data segregation, changes to business processes, and other cybersecurity complexities.
- Accelerated incident response. Many file-level encryption tools log access attempts on files and/or provide data for anomaly detection and proactive threat response. This enhances your ability to identify, act, and report on incidents.
- Simplified cybersecurity policy compliance. With advanced file-level encryption, you can encrypt files upon creation and automatically apply access rules, usage guidelines, and other controls that stay with the file. This helps ensure policy compliance without burdening users.
- Reduced data classification effort. While data classification can be important for a variety of reasons, the ability to seamlessly protect all your data with encryption reduces reliance on classification to tag sensitive data. Advanced file-level encryption tools can also reduce time to protection for all data types, thus reducing risk.
- Support for zero trust. A foundational element of a zero trust cybersecurity architecture is to shrink the attack surface by making data self-protecting even when shared or accessed remotely, rather than relying on network-level controls alone. File-level encryption supports this inherently.
What’s next?
For more guidance on this topic, listen to Episode 152 of The Virtual CISO Podcast with guest Thomas Kwon, CEO at FenixPyre.
