A research organization invested in an out-of-the-box Cloud enclave for CMMC compliance but didn’t fully consider how it would impact day-to-day business operations. As a result, the organization struggled to get its employees adjusted to the changes and was unsure if its CUI was being transmitted outside of the enclave.
112Cyber was able to:
- Uncover unknown CUI transmission through an in-depth discovery into the people, processes, and technologies that were interacting with CUI.
- Provide data-driven guidance on how to better leverage Cloud technology alongside on-premises software and equipment.
- Significantly increase the ROI of compliance investments by mapping them to business risk and company objectives.
The Problem
This research organization historically relied on on-premises solutions to conduct its operations. To achieve CMMC compliance, the organization was told that restricting its CUI to a Cloud enclave would be the easiest, most efficient option. The client established the enclave within the Cloud Service Provider (CSP) solution.
While this investment could have been successful, the client failed to fully analyze how siphoning off its CUI to the Cloud, with browser access only, would impact its employees. Many day-to-day operations – such as those that required desktop applications or specialized research software – were interrupted, leading to:
- Dissatisfied employees that were unable to efficiently do their jobs
- An overwhelming dollar amount to move day-to-day operations into the CSP utilizing Virtual Desktop Infrastructures (VDIs), on top of the amount already invested
- Hesitation in presenting more investment requests to leadership
- Uncertainty and confusion surrounding the location and flow of CUI
- Lack of confidence in their existing SPRS score and CMMC readiness
The Solution
The organization turned to 112Cyber for guidance on mapping out its CUI and determining if the Cloud enclave was feasible long term. 112Cyber’s Certified CMMC Professionals and Assessors performed a CUI Data Mapping exercise that focused on four main goals:
- Tracing the storage and transmission of CUI across the organization
- Understanding the practical implementation of the CSP enclave
- Analyzing how well the method integrated with existing business operations
- Detailing data-backed business justification for different computing approaches (Cloud, hybrid, and on-prem)
112Cyber took a highly individualized approach to the CUI Data Mapping exercise, interviewing key stakeholders and conducting a thorough analysis to identify the effectiveness of the CSP enclave. 112Cyber also considered feedback from end users to determine if the CSP enclave provided a reasonable and secure way to handle CUI.
Through this comprehensive approach, 112Cyber aimed to determine if the CSP enclave method could be sustainable and effective in maintaining compliance while supporting the organization’s operational goals.
The Results
After conducting its CUI Data Mapping exercise, 112Cyber was able to:
- Discover that end users were not utilizing the enclave as intended by the deployment vendor, preventing a bombshell surprise during a CMMC Assessment Scope Validation.
– 112Cyber determined that end users were transmitting CUI from the enclave and processing CUI on out-of-scope systems. Knowledge of this expanded the scope of the CUI environment up to 100%. - Reduce the cost of Cloud investments by switching to a more efficient hybrid approach.
– By thoroughly detailing the flow of CUI across all on-premises and Cloud locations – as well as collecting feedback from end users – 112Cyber allowed the organization to better understand its Cloud enclave investment as it relates to business operations and make an informed decision on whether this was the best way to proceed based on cost and risk. - Reduce confusion and uncertainty by clearly defining where CUI was stored, processed, and transmitted within the organization.
– 112Cyber mapped out the flow of CUI through a data-flow diagram, system boundary diagram, and asset categorization, allowing the client to better understand which areas of the organization would require protection. - Strengthen the organization’s security and compliance posture and provide the organization’s leadership with confidence in CMMC readiness.
– Ensuring that all CUI was accounted for allowed the organization and its leadership to more confidently proceed with compliance decisions and investments.