VDI for CUI
By Josh Griswell
One approach that contractors can take in approaching CMMC is including all of their infrastructure within the scope boundary for a CMMC certification. This means that all of the company’s components and devices would have to follow the processes and practices required by CMMC. The larger the company’s environment, the more complex and expensive implementing all of those CMMC practices becomes. Therefore, there is good reason for reducing the scope of the system that stores, transmits, or stores CUI whenever possible. Besides reducing the cost, limiting the scope may be essential for any company that has technical requirements for using IT products that aren’t FIPS 140-2 validated, can’t be patched, or can’t be integrated with Multi-Factor Authentication (MFA).
A solution that some organizations use to sequester your CUI from the rest of your corporate environment is an enclave. However, once you have your CUI isolated in an enclave, the question becomes how do you access the data? VDI (teamed with some kind of secure file storage) is a great answer to that question. VDI supports systems that are configured to prevent copying files or data between the VDI server and client, or printing to devices connected to the VDI client. In this design, the VDI client on the endpoint device receives only keyboard/mouse traffic and a stream of graphics that represent the data displayed on the screen.
Although CUI is displayed on the endpoint that is accessing the VDI, the CUI itself remains strictly inside the enclave. Of course, standard CMMC requirements also must be implemented, such as MFA and FIPS 140-2 encryption for the client-host traffic. By configuring the VDI in a secure manner you can create a highly secure boundary that walls off your CUI while still allowing access for legit business purposes. One option that companies choose is AWS WorkSpace VDI. Combining VDI with a file storage gateway allows you to isolate components of your overall IT infrastructure.
Should the endpoint accessing the VDI become in scope for CMMC? Unlike fax machines, copiers, or scanners (all of which can store images potentially containing CUI), a VDI client does not persistently store the graphical data that is displayed on the screen. If any CUI exists within the screen graphics, the VDI client does not store it on the endpoint. Furthermore, the endpoint does not process CUI, and no file transfer occurs. Therefore, the security of endpoint device is not particularly relevant to safeguarding CUI, and this provides a reasonable basis for contractors to exclude endpoints from the scope of CMMC. Of course, as mentioned previously, it is essential to protect the network traffic between the VDI server and client with FIPS 140-2 validated encryption. CMMC control practices (like patching, configuration hardening, anti-malware protection, and encryption of data at rest) are relevant only to systems that store and process CUI – and those systems reside only in the enclave.
It’s important to carefully consider the boundary that falls into the scope of any CMMC compliance effort. Besides reducing the cost, limiting the scope also makes a lot of sense especially since companies may have assorted technical requirements such as older technologies that aren’t FIPS 140-2 validated, don’t run on a modern operating system, or integrate Multi-Factor Authentication (MFA).
SecureIT is an experienced cybersecurity compliance advisor who will take the time to understand your situation and recommend practical, efficient solutions. If you’re planning your CMMC compliance effort and want an expert to help ensure your success, please contact us. We’d love to talk and show you how we can help.