Cybersecurity posture is a combination of the actions of the people in an organization using technology and the documentation that provides both direction and record. In short - it is culture.
Culture has costs. Each incremental improvement in technology and cybersecurity comes along with licensing, support, internal and external labor. There are two drivers that push an organization to improve cyber-posture: government requirements (a lagging, least common denominator) and a risk/return calculation on the costs of protecting information vs. the possibility of losing it.
CMMC is a maturity model aimed a providing a target for cybersecurity culture that is appropriate for the risk presented by the type of information the organization holds.
There are five maturity levels in CMMC, three of which are well defined in the CMMC Assessment Guide as of this writing with levels 4 and 5 still in the "coming soon" category. All contracts that involve CUI (Controlled Unclassified Information) will require a certification for CMMC Level 3 by 2025. Contracts without CUI, will require a level 1 certification because they contain FCI (Federal Contract Information).
Reaching CMMC ML-3 will, by definition, be more costly than CMMC ML-1. The difference is stark. There are 17 cybersecurity controls at Level 1, while CMMC Level-3 contains 130 practices and adds 51 processes.
Enterprise Scope vs. a Carve-Out
Given the above, there is a significant cost delta to ensure the entire enterprise is capable of handling and storing CUI. For larger organizations and some smaller ones who handle relatively small amounts of CUI, it may be more affordable to carve out a portion of the organization with an elevated cybersecurity posture. On the other hand, creating the carve-outs comes with its own set of expenses, both technological and in management, that may not be "worth it."
Two Flavors of Carve-Out
- Organizational Unit - this boundary is drawn along business lines. For example, Pepsico owns KFC and Pepsi. If only KFC touches CUI then Pepsico may choose to have KFC certified at CMMC Level 3 while Pepsi soft drinks are at CMMC Level 1. Ultimately the contracts will drive the decision, for now, look at the contracts that both organizational units sign with the government for the DFARS 7012 clause. Those with CUI will likely have a DFARS 7012 clause.
- Program Enclave - In this case, a business is a singular enterprise that possibly has only a few employees working on a contract that requires CMMC ML-3 certification. This group is able to be separated from the rest of the enterprise in a way that prevents access to the CUI, except by the group's members.
Where the Carve-out is derived from an organization unit or program enclave the carve-out can be referred to as an "Enclave."
Carving out an Enclave
To explore whether all of the people and tools with access to CUI can be carved out from the main organization here is a list of considerations. The list is not meant to be comprehensive. A CMMC RPO to C3PAO can provide additional direction.
- Is the enclave on the same subnet?
- Is there a firewall between the enclave and the rest of the organization?
- Do the members of the enclave have a separate communications system to transmit CUI (separate email addresses, etc.)?
- Is access to the CUI at rest limited only to authorized members of the enclave?
- Can the organization prove that the above is true via monitoring and reporting?
While the above discussion is related to carving out an enclave to handle CUI within a larger organization. However, the same logic can be applied to a large organization which is primarily commercial and has a small government services group with only a small bit of FCI (Federal Contract Information) which means a CMMC ML-1 certification. In this case, the organization can carve out a small unit to work on the government contract while excluding the bulk of the organization which serves only the commercial market.