With any security framework, be it ISO 27001, FedRAMP, or CMMC, the goal is not to secure “your business.” It’s to secure sensitive and controlled information that your business handles. This is a fundamentally important way of looking at your security.

Why does this matter? It’s all about borders. Where do you draw the line between what you keep secure and what you don’t care about?

To use a metaphor: do you build a fence around an empty lot, or just your important buildings? Even if you own the lot, there’s nothing there for intruders to take or damage, but the added cost of the additional fence adds up.

In CMMC, this decision is between two options: the full environment compliance option and the enclave option.

Both of these are valid, and neither is inherently better than the other, so making the choice of which to use depends a lot on your organizational structure and your goals. To help you make that decision, let’s talk about what it means to set up an enclave, what the pros and cons are of both methods, and why you might choose one over the other.

Defining a Secure Enclave Strategy

A full environment compliance strategy is pretty obvious: everything, including all of your computer systems, all of your physical locations, and all of your employees, are secured according to CMMC rules.

What, then, is an enclave strategy?

A secure enclave is a separated and segmented portion of your business operations. This isolated segment includes (and is limited to) the systems, locations, and people who handle controlled information. If controlled information touches a system, that system is secured. If controlled information does not touch a system, it’s outside of the enclave, and you don’t need to worry about securing it.

It’s not necessarily quite that simple. You might have systems that don’t handle controlled information themselves, but they have to touch and interact with systems that do in order for them to function. That puts those systems in scope, so they need to be secured. Or, it requires you to redesign your system architecture to draw a firm line between them.

To return to the building metaphor, your empty lot may be out of scope for security for the facility, but you might need to take extra action if power or telecommunications lines run through that lot.

In more practical terms, CMMC enclaves are about securing CUI, FCI, and other controlled information from your DoD contracts. It doesn’t mean securing sensitive but non-government information.

Things inside the enclave can include PII for government individuals, defense data and covered defense information, law enforcement records, and the like.

Things outside the enclave can include other forms of sensitive information, such as accounting systems, HR records, and non-defense business information. Obviously, you will still want to secure those systems, but they don’t need to be secured according to the exacting and specific rules set forth in CMMC. They may have their own regulatory frameworks, though, with SOC 2, HIPAA, and others coming into play.

What Are the Pros and Cons of Each Method?

As mentioned above, there are pros and cons of both methods, so it’s good to think about them.

The Pros of an Enclave Strategy

Enclave strategies set clear boundaries and limitations on the scope of the systems, locations, and personnel that need to adhere to CMMC rules. This has a handful of very important benefits.

First of all, it helps keep costs down. It can be very time-consuming and expensive to secure your systems according to a complex framework like CMMC, which is why it often takes a year or more and a lot of money to do it right. The more you limit the scope, the less expensive it is to secure.

• You might only need to train a team of 20 people, instead of all 500 in your organization.
• You might be able to secure just one server room and one or two office rooms, rather than an entire building.
• You might be able to buy just 20 software licenses for secure platforms and workstations, rather than the hundreds throughout your company.

There are a lot of very tangible costs that can be kept down when you limit how much needs to be covered.

A second benefit is that it can reduce the disruption to your normal business operations that occurs when you’re implementing security controls, training personnel, or even remodeling parts of your office to be more secure. Auditors don’t need to interview people outside of scope, access systems outside of scope, or attempt to breach systems via penetration tests outside of scope.

The ongoing overhead is also lower. When you have just a few people to watch, you have much shorter audit and access logs to monitor, fewer systems to track, and fewer operations to secure. A smaller threat surface means a lower risk.

The Cons of an Enclave Strategy

Enclaves do have some drawbacks, which is why they aren’t the default, go-to strategy for every CMMC implementation.

For one thing, the management and maintenance can be more complex. This basically stems from the fact that you effectively have a business-within-the-business, which needs its own attention, its own maintenance, its own patching and updating and development and more. You can’t just implement sweeping changes across your organization; you have to consider how they interact with your enclave.

There can also be additional costs. Because you can’t have cross-over between out-of-enclave and in-enclave systems, you may need separate accounts, licenses, and other systems for your two segments, and that means you might be double-paying for licenses for software and other systems.

You also end up with a very siloed system. Security and business practices within the enclave will differ from those outside the enclave, and the more time passes, the more the two diverge. The greater the gap becomes, the greater the chance of friction, or even compliance risks relating to internal mobility and other organizational changes.

Enclaves can also be a bit of a limiter on business growth. Scaling up an enclave means expanding the internal enclave scope without affecting the external systems. Scaling the external business can leave the enclave feeling vestigial and lacking in support. This disconnect is also a source of friction, risk, and limited business potential.

It can get even worse if you want to expand into other secure operations. FedRAMP and CMMC don’t have reciprocity despite their similarities, so non-DoD federal contracts put a whole new burden on your organization. The same goes for trying to win contracts under other secure frameworks, like ISO 27001 or GovRAMP.

Do you double up within your enclave and hope you don’t have to expand the scope much? Do you set up a second, separate and distinct enclave? It’s a complicated question.

The Pros of Full Environment Security

While you might think you can just invert the pros and cons of the enclave option here, it’s not quite as simple. So, it’s worth talking about them separately here.

First, one of the biggest benefits of enterprise-wide security is just that: security. As mentioned above, the scope of CMMC doesn’t necessarily include things like your financial or HR data, but those are still important, sensitive pieces of information that need to be secured. You have a ready framework with a comprehensive set of security controls that you’re already implementing: why not just extend the scope and protect other valuable data and systems?

This also plays a big role in eliminating silos in your security. When there’s no gap between the secured and unsecured systems, there can be no issues with people unsure of which rules to be following, no details slipping through the cracks that can be exploited.

When your whole organization operates under one standard, it’s also a lot easier to scale up as your company grows. It’s easier to just add a couple of seats when a team expands, buy more secure workstations, or otherwise expand within the bounds than it is to adjust the scope of the enclave.

Monitoring, maintenance, and overview are all simplified as well. You don’t need two security teams, two monitoring systems, two sets of rules; it’s all unified and much easier to watch.

The Cons of Full Environment Security

The flip side is largely what you might expect.

For one thing, the larger your organization, the more it’s going to cost to secure it all within the scope of CMMC. More seats on a platform license, more capacity, more workstations, more user training; it all adds up.

One saving grace is that this is largely an up-front investment. Once you’re established, growth and maintenance are smoother, and you don’t have as many duplicated ongoing expenses as with an enclave setup. But it can be a significant barrier to getting started.

A second problem is that you present a larger threat surface. Instead of making sure you have 20 people well-trained, you need to enforce training across your entire staff. Instead of securing 20 workstations, you need security on every single device on your network. Any gap, no matter how small or seemingly inconsequential, can be weaponized against you.

It’s also simply not necessary most of the time. “Good enough” security for the external organization, and CMMC-grade security for the enclave, is the minimum viable operation for DoD contracts. Whole-enterprise security is probably not necessary for all but the smallest businesses.

Making the Decision: Enclave or Full Compliance?

So, which of these two options is the right one for you?

Sometimes, the decision is easy. A small enough business might not gain enough from a dedicated enclave, so full-org security makes sense. Other times, you’re already close enough to CMMC that full org security is just a matter of a few small changes. This is especially true if you’re already secure across other frameworks, like FedRAMP or ISO 27001.

Other times, the choice needs careful consideration.

• Think about your budget. Do you have the money to invest up-front for total organizational security, or are you on a tight enough financial leash that you need to cut out any corners you can while still being able to pass the audits? Remember that it can range from $20,000 to $100,000 for a basic CMMC implementation, and that’s a low-end estimate.
• Do you have special considerations that would make one option make more sense over another? For example, there are a lot of unique challenges surrounding remote and distributed workforces, where it might make sense to build an enclave that doesn’t include those employees.
• What are the risks and threats you face? Some companies are on the low end of responsibility, and while they still face threats, the bar is lower. Others are a big, obvious target and will face more pressure. Sometimes, an enclave might make more sense for tighter, narrower security.
• How rapid is your growth? It’s more difficult to expand an enclave than a fully-secure organization, so if your business is likely to grow rapidly, whole-org security may be the better choice, rather than redoing it down the line.
• How much CUI do you handle? If your contracts put you with very little data that needs to be secured, setting up your whole organization with CMMC is overkill.

There’s no firm right answer here, and in fact, many organizations start in one way, realize it isn’t appropriate, and change before fully completing the process, in both directions.

Here at Ignyte, we can help. As deeply experienced consultants and as a certified 3PAO, we know the framework inside and out. Just by reaching out and talking to us, we can help advise you on the appropriate moves to make and what the best choice is for your business.

We also built the Ignyte Assurance Platform as a comprehensive solution to managing organizational security, from the smallest CMMC enclave to the largest ISO 27001-covered enterprise. Whichever option you choose, our platform can help you speed up compliance and pass your audits. To see how it works, reach out, and we’ll schedule a demo just for you.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Dan Page. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/enclave-strategy-full-environment/