CUI Enclave Guide

When built using CyberSheath’s process, the enclave becomes a turnkey solution, ensuring compliance with NIST SP 800-171, CMMC 2.0, and DFARS 252.204-7012. This secure environment effectively segregates Department of Defense (DOD) project data from legacy systems and is backed by a U.S.-based MSSP providing 24/7/365 support.

This repository allows your business to continuously operate in a compliant manner and provides high-value, custodial security of Controlled Unclassified Information (CUI) with minimum business interruptions to people, processes, and procedures.

Since an enclave is a cloud-based solution, this solution is faster, easier, and more economical than overhauling legacy infrastructure. Start leveraging the power of an enclave for your organization.

Getting Started with an Enclave

Take these steps as you begin your enclave journey.

Scope your current environment to identify all systems and applications that you believe has some interaction with CUI.
Assess current protection status for various system components and discern the state of the network.
Review company uses cases and requirements against what an enclave can offer. Gaining a thorough understanding of what your environment, data, and processes require to protect CUI is important as you outline your enclave needs.

Learn about when you should and shouldn't use the enclave.

When using an enclave, here’s what to do.

Do limit use of the enclave to CUI work.

Your enclave provides the opportunity to move the data and operations from a portion of your business to an approved cloud environment. This environment has protections in place to make sure CUI, Federal Contract Information (FCI), and International Traffic in Arms Regulations (ITAR), has backend protections to support DFARS 7012 requirements. Here’s some tips:

Make sure you are only doing work that is CUI-related in the enclave.
Don’t commingle data from non-CUI projects with enclave-protected CUI.
Work on other non-CUI projects outside of your enclave.
Implement strong controls to limit where the CUI can flow as everywhere CUI goes it becomes in scope and needs to be protected.

An enclave controls cost by protecting what needs to be protected and keeping the rest of the business out of scope. Making an entire business adhere to the requirements that come with managing CUI when only a 10% of the business touches that data is costly and cumbersome to implement.

Do limit access to CUI data to inside of the enclave.

Restricting where employees can access CUI and on which devices helps you keep CUI inside your enclave and establish flow control. Be aware that if you start to allow access to the enclave from other devices that scope quickly increases.

An enclave includes robust geofencing, so you have the added benefit of protecting device and device location access. If you have a business that operates in Canada and the United States, you might have ITAR restrictions. In this case, you need to have protections in place so that whenever you are crossing the border into Canada, your ITAR can’t be accessed from the Canadian side of the border.

If you are a global company, you might have ITAR restrictions that apply in Europe. Portions of your business would not have access to all the data inside the enclave as it would be a violation and not in compliance with CMMC requirements.

Do gain an understanding of what you do as a company and how you need to function inside of this enclave.

This approach helps you take what might be seen as restrictions and make the data set inside the enclave very accessible and usable in the way it needs to be to the people who require access to it. You may know that you need an enclave or that you need to meet the requirements of CMMC, but you might not understand how that is going to impact your business or how you're going to shape your business inside an enclave.

Know your day-to-day tasks that involve CUI as that factors into how you shape the environment. Be sure to:

Understand how you're working with your data and how you can make that same workflow work inside of the enclave in a restricted capacity.
Identify the CUI on your network.
When you get your CUI into the enclave, question how to store, share, and deal with that data.

One size does not fit all in terms of building your enclave. You need to have a thorough understanding of what you're working on, workflows and contracts involved, and applications needed. Then you can formulate a plan to make it work.

A lot of people get hesitant about going into the enclave because they're used to having a heavily resourced computer in front of them. Keep in mind that everything can be designed to be compliant in the cloud and not have the drawbacks or lag of traditional enclaves or virtual environments.

Do label your data in the enclave.

Inside of the enclave, you’ll need to start shaping your dataset. Default labels can include a non-sensitive information label, a CUI label, and further labels as required. This exercise helps you understand your data.

From a compliance perspective labeling your information gives you a clearcut definition of what CUI is and what it isn't. The hard part is that the government doesn't always inform your business what CUI is being generated on their end.

Note that there is a National Archives and Records Administration (NARA) archive that includes all of the types of CUI and the markings that need to be used. There are many different categories.

In the media protection family of CMMC, it calls out that CUI needs to be marked with distribution limitations. In the enclave you can create sensitivity labels and get as granular as you need to be once you have an understanding of what you do and what markings you need.

Take the time to:

Ask the government or prime contract official for guidance.
Look at the NARA archive.
See what is closest to what you need and make your own classification guide and ask the government or prime contract official to verify your assumptions.
When in doubt, mark the data you determine needs to be controlled as CUI.

What not to do when using an enclave.

Don't do anything inside of this enclave that you don't need to do.

An enclave is strictly for CUI handling.

Keep the data and the work inside the enclave extremely restricted.
Don't install applications that don't pertain to CUI handling.
Don't log into other email addresses inside of this enclave.
Do not exfiltrate data from the enclave. If you start removing data from it without understanding what it is, you can start having scope creep.

Don’t create data holes in the enclave.

Don’t get the enclave without understanding exactly what you need and the interconnections that you require to be able to do your job right. Examine the need to include manufacturing equipment on a shop floor, link to the print server, connect to an alternate site, or distribute the enclave across different tenants or domains.

As soon as you start poking holes in the enclave, that's when you start losing the protections and creating avenues for exfiltration—not just for the company, but for adversaries as well, and that defeats the purpose of the NIST 800-171 requirements which are in place to stop the threat to the DIB.

Exactly what is CUI and how do you manage it within your workflow? Simply stated, identifying and managing your CUI is a contractual requirement.

CUI defined

According to 42 CFR 2002.4, CUI is, “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”

As you start working on defining your enclave requirements, you first need to understand what CUI is and where it is present in your organization. Start by participating in the mandatory CUI training that the DOD provides. Then begin going through each document and determining if it contains CUI.

Know your CUI boundary

Some companies receive CUI data via removable media such as CDs, DVDs, or USBs. Others are sent physical items from government entities to their environment. It all depends on what your organization does. Keep in mind that CUI can include physical and digital assets.

Consider this example of how CUI permeates an environment.

Company A works with NASA and has rocket parts, which are CUI, physically shipped to them. Their approved method for receiving those parts is through UPS.
Those rocket parts then have a corresponding set of users who are allowed to receive them, bring them into the building, and document that they received them in accordance with the procedures they have in place.
Company A also has another subsection of users who are going to work on those parts. Perhaps that includes engineers who draw plans, mechanical engineers who print or build parts, and management overseeing the work.

Other CUI examples

If B Manufacturing is receiving data from a contract and they are the manufacturer who’s producing the physical part, there are many layers to the CUI that needs to be protected, including technical, physical, and digital data. At any point, the company can split the data up and have multiple departments involved, including accounting which is billing for the part.
If C Construction is building a new government building, the plans for that structure are going to be CUI. Perhaps less obviously, most likely the location where it is being built may also be considered CUI.

A note about ITAR

ITAR is a signed acknowledgement companies make with the government during contract on-boarding. ITAR is required if the government determines that your component is going to be included in a weapon system designed, developed, or manufactured by the DOD.

Often if you’re bound by the government’s laws on international trade in arms or controlled technologies, your products are not available commercially off the shelf. Consequently, ITAR can be seen as the opposite of consumer off the shelf (COTS) and is subject to data sovereignty protections.

Once you scope your environment and understand how the data flows, you can then diagram your environment, outlining where you are keeping the data, the applications and equipment it touches, and the personnel who need access to it. All this will help as you move forward with your enclave.

What is an enclave?

Who needs an enclave?

Any company that is a member of the DIB needing to identify and secure its CUI as a contractual requirement. An enclave is one way to address this requirement.

How does an enclave aid in compliance with CMMC 2.0 / NIST 800-171?

An enclave supports a company’s efforts to effectively segregate CUI, in accordance with the requirements of CMMC 2.0 / NIST 800-171. By providing a cloud-based solution that is born compliant, it provides high-value custodial security of CUI with minimum business interruptions to people, processes, and procedures.

What are the resource requirements of an enclave?

Since the enclave resides in the cloud, employees will not require a separate computer to access it. Once set up, the employee’s laptop will be able to log into the virtual desktop environment to access the enclave.

How are employees going to be able to collaborate in an enclave?

If your enclave is Microsoft-based, team members will still have Microsoft Teams, so they will be able to effectively communicate with partners and other organizations.

How will employees access the enclave?

Employees will access the enclave through a secure environment, using their organization-provided credentials.

Could an employee accidentally access the enclave?

No, employees cannot accidently access the enclave. The login procedure to access this environment is defined with a completely separate email and password from their everyday workflow.

What is being in an enclave going to feel like?

Even though there are restrictions in place, bear in mind that the limitations are designed for security reasons. These limitations will be relatively minimal.

Employees will be able to easily access the enclave. If they only have one monitor, opening another window or desktop will work. If they have two monitors, they can have the enclave open on one and they can have their normal laptop working on another. Note that the enclave environment is completely segregated from the existing legacy environment.

What employees can’t do in the enclave:

Take screenshots inside the enclave as it functions via screen capture protections.
Copy and paste between the enclave and outside environments.
Print from it.

Those protections are in place so that they can have a dual home system running on one laptop. Two monitors make it simple to seamlessly work between the two environments.

Can a user only email other people within the enclave?

Anybody inside of the enclave can email whoever they want. There is no limitation like a white list for emailing somebody or sending out the information.

This action is policy-controlled. If the user is working with CUI and collaborating with others outside of your company, that user should only be using their enclave email. None of that CUI that is being sent back and forth should touch your commercial environment.

How does an enclave protect information that is sent out?

The system can be configured to force a communication to wait for a sensitivity label to be applied prior to being able to send. The sender examines and classifies the information being sent, and then their name is associated with that action and there is a log of their activity.

What if an employee saves files to the enclave in error?

Sometimes employees get confused and inadvertently save their files where they're not supposed to.

Know that many providers are coming out with separate licensing models to address this issue. Adobe and Autodesk, for example, are coming out with FedRAMP approved licensing and that is tied to the enclave email addresses, as opposed to commercial email addresses.

If a user logs in with their regular commercial email instead of their .gov email, they're not going to see the commingling of data. All of the projects that they're working on should be completely under their enclave email. That way you won’t have commingling of data or data uploading into an insecure environment.

Does an enclave lock down a user’s ability to download files as a precautionary measure?

Most of the time users can download what they're looking for, unless it's an unsigned download, which means that the person giving it out doesn't have an SSL certificate on it.

If you’d like support implementing an enclave at your organization, the CyberSheath team can help. Our Federal Enclave offering is the industry’s first CMMC enclave, designed specifically for defense contractors throughout the defense industrial base. This purpose-built solution enables defense contractors to quickly take advantage of a Microsoft Azure-based cloud-enabled tenant.

Looking for help managing CUI and leveraging an enclave for compliance? Contact a CyberSheath expert today for the guidance and support your organization needs.

Download CUI Enclave Guide PDF

What is an Enclave?