The Cybersecurity Maturity Model Certification, or CMMC, became official in December 2024 and is already appearing in contracts. Any defense contractor handling Controlled Unclassified Information (CUI) will need to meet the strict requirements laid out in CMMC Level 2. For organizations that want to limit the scope of their CMMC assessments, VDI solutions are emerging as a promising route to compliance.
VDI, or Virtual Desktop Infrastructure, allows access to a virtual computer using a physical one, limiting the compliance boundary by taking users’ computers out of scope. The result is a simpler environment with fewer devices. Smaller organizations without deep internal IT resources might look to VDIs as a proven path to a secure CUI enclave and a successful CMMC assessment.
Perhaps the most important question that must be answered when beginning your CMMC journey is: What is my scope of compliance? Simply put, every device that stores, processes, or transmits CUI is within the boundary and so will be assessed for compliance. Organizations are often looking for ways to reduce the number of devices that have to be managed and secured—especially with the proliferation of remote work. Fewer devices means a more centralized environment that can be controlled more easily, resulting in less strain on internal IT teams and ultimately, a smoother path to certification.
What Is VDI—and Why It Matters for CMMC
VDI essentially means using one computer to access a “virtualized” computer. These virtualized computers (often referred to simply as VDIs) run on a remote server. When users log into a VDI, they’re accessing a virtual machine that runs their desktop operating system and applications remotely. The user’s device—for example, a personal laptop—simply displays the desktop interface and sends keyboard and mouse inputs back to the server. A user can access their VDI through an internet connection, and their files, applications, configuration settings, etc. will always remain consistent regardless of how the VDI is accessed.
However, just having a VDI is not enough for CMMC compliance. While VDI allows centralization of the processing, storing, and transmitting of CUI, the CUI still needs to be protected on the virtual devices and there need to be controls in place that separate the VDI and the devices accessing it.
How VDI Simplifies CMMC Compliance
So how does VDI reduce the complexity and scope of a CMMC assessment? The key is that the (physical) device that is used to access the VDI is not considered in-scope. The official CMMC Level 2 Scoping Guide published by the Department of Defense states, “An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the keyboard/video/mouse sent to the VDI client is considered an Out-of-Scope Asset.”
Essentially, as long as there is a strict separation between the VDI and endpoint, the endpoint is out of scope. The work that goes into meeting the controls and objectives to make an endpoint compliant can now all be focused only on the VDI configuration.
Fewer devices in scope means a smaller boundary and simpler environment to manage, which can save time, resources, and cost when seeking certification. VDIs, being remote devices, can also be centrally monitored, managed and cleanly isolated from the rest of an organization’s data, further recommending them as a solution for CMMC compliance. Users can use their devices as they normally would and access the secure enclave only when necessary.
When Endpoints Might Be the Better Choice
While VDI offers compelling advantages, most defense contractors achieve CMMC by managing their endpoints without a VDI.
Endpoint solutions excel when you have company-issued or admin-managed devices with established IT controls. Companies with low device turnover rates also benefit from the long-term investment that comes with properly configured, compliant endpoints.
Endpoint management offers advantages like lower cost and better performance that’s not limited by connectivity. Most contractors already have many of the antivirus and vulnerability scanning software that’s required—it’s just a matter of configuring it properly—which we walk through in our Endpoints for CMMC blog. The reality is that endpoint compliance isn’t as daunting as it might initially appear when you have the right tools, expertise, and partners.
When to use VDI vs Endpoints for CMMC
While precise recommendations require a detailed assessment of your setup, consider the following questions to determine if VDI or Endpoints are the right fit for your organization:
Securing CUI within a VDI: PreVeil vs. GCC High
Having established VDIs as a viable solution for CMMC compliance, the question of how to secure CUI within VDI itself still remains. The two most common solutions to secure CUI within VDI are Microsoft’s GCC High and PreVeil.
These two solutions represent two different approaches to compliance and we offer a full breakdown here. GCC High will always be more expensive than PreVeil. Admins also tend to find GCC High needlessly complex and difficult to configure. From the user perspective, the GCC High equivalents of the common Microsoft tools often hinder productivity, being more restrictive than their non-compliant, commercial counterparts.
PreVeil offers a different approach. Instead of replacing the existing operating system, it sits on top of it, minimally impacting the user experience. With PreVeil installed on the VDI, the CUI is protected. PreVeil provides the requisite encryption and other security features that allow the VDI to be compliant without otherwise getting in the way. A user can easily access the secure CUI on the VDI.
Conclusion
While there was ambiguity about whether VDIs would even be allowed in compliant environments in the early days of CMMC, there is no longer any doubt: VDIs can be used for a CUI enclave. The client devices, if properly configured, are out-of-scope. Of course, the VDI itself is still within scope, and so requires PreVeil to protect CUI.
For smaller organizations with less internal IT resources, or for organizations that mix commercial and government work, VDI could be the right choice for CMMC compliance.
