Blog

CMMC compliance only for employees handling CUI

In spite of Covid-19’s shutdown of America’s workforce, CMMC is still on the fast track to rolling out. Soon, compliance will be a prerequisite for every prime and subcontractor. With the initial wave of CMMC audits starting by Fall of 2020, companies storing or transmitting CUI need to get ready to achieve Level 3 CMMC compliance.
 
Unfortunately, some technology platforms, such as Microsoft GCC High, hinder this preparation by requiring the entirety of a defense contractor’s organization to migrate and upgrade to support CMMC compliance. Particularly for small and medium companies where only a subset of the work is defense oriented, this requirement can make compliance economically challenging if not impossible. The company simply cannot afford to bring compliance to their whole workforce.
 
Fortunately, solutions exist that enable contractors to secure sensitive data by adopting an “enclave approach”. By using this tactic, companies can deploy the technology platform to only those employees handling CUI.
 

Enclave approach – a definition

As you might guess, an enclave approach means the company deploys the technology for protecting CUI to a part of the organization. The enclave approach for CMMC compliance is in fact supported by the DoD. According to their regulations:

When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s) depending upon where the information to be protected is handled and stored.

For companies that need to achieve CMMC compliance, enclave is an ideal way to enable compliance and avoid the challenge and expense of deployment to the whole organization.

Advantages of using the enclave approach

The major advantage of using the enclave approach is that it reduces the cost of supporting CMMC level 3 compliance and minimizes business disruption. Only those individuals in the company managing CUI need to migrate to the technology platform and include it in their workstream. Those employees that don’t manage CUI, don’t need to alter their work process in the slightest.
 
Additionally, the enclave approach reduces overall training requirements and expedites the speed of implementation. Since only those employees handling CUI need training, the company can quickly get on track to managing and securing sensitive data.

Getting Started with an enclave approach

 
PreVeil is an end-to-end encrypted email and file sharing SaaS platform that can be easily deployed to only those employees handling CUI. The platform enables employees handling CUI to effectively secure their data and meet many of the mandates required for CMMC Level 3.
 
PreVeil is also easy to use and integrates with existing email and file sharing platforms. It adds an encrypted mailbox to Outlook and Gmail without changing an employee’s existing email address. Similarly, PreVeil Drive lets users encrypt, store, and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with others.
 
The platform also provides a cost-effective way for defense companies to get on the path to CMMC Level 3 compliance. Since companies only pay for those individuals who handle CUI, they are to protect sensitive information at a fraction of the cost of platforms like GCC High which require deployment to the entire organization.

Conclusion

Many companies that need to get started on the road to compliance have been stymied by the assumption they need to deploy technology to all employees handling CUI. This has caused companies to delay moving to a more secure platform. Fortunately, PreVeil’s enclave approach provides an easy and cost-effective path forward.
 
Learn more about PreVeil’s approach to CMMC. Download our CMMC white paper