How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve The CUI and CMMC Conundrum?

Contractors within the Defense Industrial Base that handle Controlled Unclassified Information (CUI) must maintain compliance with complex NIST 9800-171 controls and CMMC standards in order to maintain their government contracts. One of the biggest challenges these contractors face is determining which of their physical and digital assets will be included in the scope of their CMMC assessment.

One approach contractors can take is to simply include all of their infrastructure within the scope of their CMMC certification. While this may seem like a simple solution, it actually creates a laundry list of convoluted challenges, as all of the company’s assets have to follow the processes and practices required by CMMC.

This leaves many defense contractors faced with a dilemma as they find themselves wondering what the best way is to secure CUI and achieve CMMC certification without having to keep their company’s entire network in compliance with CMMC. One increasingly popular solution is to sequester CUI from the rest of the corporate environment in an enclave and access it with the help of virtual desktop infrastructure (VDI). Utilizing VDI can help solve the CUI and CMMC conundrum by reducing the scope of the system that stores and transmits CUI by isolating it from the rest of your network.

With the help of VDI, you can keep CUI secure without having to go through the expense and hassle of measuring your entire network against CMMC standards. Keep reading to learn more about scoping your CUI with virtual desktop infrastructure and how this can simplify the CMMC certification process for Department of Defense (DoD) contractors and subcontractors.

Simplify CMMC Certification By Scoping Your CUI

Effectively scoping CUI is essential, as it can help you efficiently achieve CMMC compliance. Scoping involves identifying where CUI is handled within your organization, allowing you to isolate the systems, applications, and teams that interact with sensitive government data.

Why Scope CUI?

Scoping your CUI is an essential component of efficient CMMC certification, as it helps you identify the systems, environments, and processes that handle CUI. This allows you to take a more targeted approach to CMMC certification, as only these in-scope systems will be measured against CMMC and NIST compliance requirements. Unless you take the proper steps to determine what assets are in and out-of-scope, your compliance efforts could quickly become extremely complex, time-consuming, and even more expensive.

How Can I Identify In-Scope Assets?

Identifying which assets are in scope (and which are not) can save you a lot of time and money when preparing for a CMMC assessment. Unless you take the time to properly identify in-scope assets, you risk needing to have your entire network measured against CMMC guidelines, which could cause the cost of achieving CMMC compliance to skyrocket. Yet, you may find yourself wondering how to identify in-scope assets. While this process looks different for every organization, your first step should be to gain a better understanding of which parts of your organization handle CUI, and where CUI is generated, processed, or stored within your company. You can then work with your team to identify the people, processes, technology, data, and facilities that could be in scope for compliance. You may find it helpful to use asset discovery tools like Microsoft Purview to identify assets for CMMC compliance, as this can help you determine your assessment scope. You may also want to consider consulting a CMMC-certified managed service provider (MSP) who has the experience to help you identify and secure your in-scope assets.

Solve Compliance and CMMC Challenges With VDI for CUI

Once you determine the scope of assets and systems in your network that handle CUI and are subject to CMMC, your next challenge will be to keep this data secure from the rest of your corporate environment. A popular way to do this is to keep your CUI segregated from the rest of your corporate environment in an enclave and access it using virtual desktop infrastructure. Doing so can help solve the challenges many organizations face when preparing for a CMMC assessment.

What is a CUI Enclave?

Of course, the first thing you may find yourself wondering is what a CUI enclave is. A CUI enclave is a segmented environment designed to process sensitive data while adhering to specific security practices, such as those outlined by CMMC. It is a physically or digitally separated part of an organization where systems, processes, and personnel that interact with CUI are isolated to comply with the security controls required for CMMC. However, unlike isolated networks, a CUI enclave can still interact with external systems through the use of virtual desktop infrastructure. The enclave then keeps CUI secure and ensures only the in-scope environment is audited during a CMMC assessment by creating a boundary between it and the rest of an organization’s corporate environment, simplifying the certification process.

What is Virtual Desktop Infrastructure?

Virtual desktop infrastructure is a software tool that allows users to access company systems and applications securely from any device over the internet. When configured correctly, VDI allows users to see and manipulate secure data without the ability to store or print sensitive information, as this data is only stored within the central servers being connected to by the VDI, not the endpoint devices. While the CUI is displayed on the endpoint that is accessing the VDI, the CUI itself remains strictly inside the enclave. Using VDI then allows you to create a highly secure boundary that protects your CUI while still allowing secure access to it. Additionally, since the CUI is not stored on the endpoint devices, this limits the organization’s overall CMMC scope.

How Does VDI Help With CMMC Certification?

Virtual Desktop Infrastructure can help streamline the process of achieving CMMC compliance by providing a centralized, highly secure environment for storing and accessing sensitive government data. Not only does this help you keep this data secure, reducing the risk of data breaches while ensuring compliance, but it also helps keep CUI separate from the rest of your corporate environment. VDI can help define the boundary of your CUI and limit the scope of your CMMC assessment to only those systems necessary for compliance, which can go a long way in streamlining the process. Here’s a look at a few additional ways virtual desktop infrastructure can help with CMMC certification:

• Data Isolation: One of the biggest advantages VDI provides is that it separates sensitive data from the physical endpoint. Sensitive government data accessed through VDI remains in the enclave and is not stored locally on user devices that could be compromised. This data isolation helps keep CUI secure, reducing the risk of a data breach.
• Strong Access Controls: In order to comply with NIST and CMMC standards, organizations that handle CUI must employ strong access controls to ensure only authorized users have access to sensitive government data. VDI can then help, as it enables you to implement robust access control mechanisms like multi-factor authentication (MFA). With VDI, you can also take advantage of granular user permissions, which allows you to restrict access to sensitive data based on user roles. This can then help you fulfill CMMC requirements regarding privileged access management.
• Centralized Management: VDI also allows administrators to centrally manage security policies, user access controls, and system updates across all virtual desktops from a single location. This can greatly simplify compliance by allowing IT administrators to configure network settings, manage user accounts, and turn on security measures for all users instantly from a central location.
• Increased Security: Demonstrating an ability to properly secure CUI is an essential component of CMMC certification. Since VDI is centralized and sandboxed, it can be an integral component of your organization’s security strategy. Additionally, since data is not stored on user devices, this reduces the risk of data loss or unauthorized access in the event a device is lost or stolen. In fact, VDI makes it possible for users to securely access sensitive information from their own devices from wherever they are, which can help facilitate remote work while ensuring that you are still properly securing CUI.

For government contractors seeking CMMC certification, VDI can provide numerous benefits by limiting the scope of assessment and helping keep CUI secure and segmented from the rest of your data. However, it is important that you work with an experienced MSP when implementing VDI, as they can assess your specific needs and help you determine if choosing VDI is the right course of action for your organization.

Are Endpoints Accessing VDI Out-of-Scope for CMMC?

Another question you may find yourself asking when scoping system boundaries for CMMC assessments is whether or not the endpoints accessing VDI can be considered out-of-scope assets. Until recently, this was a highly contested topic that was debated by organizations that handle CUI on their networks. Fortunately, we now have a definitive answer to this question with the issuance of 32 CRF Part 170 in October 2024. In this document, the DoD clarified that an endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI is considered out-of-scope. This means that endpoints accessing VDI can be considered out-of-scope as long as you configure the VDI so that it does not allow users to drag/drop files, print, or copy/paste from the local desktop, as the endpoint device will then not be processing CUI. The CUI only exists within screen graphics and is not being shared by the VDI to the endpoint.

This is good news for defense contractors, as being able to classify endpoint devices as out-of-scope can greatly simplify the process of achieving CMMC certification.

Contact Agile IT For Assistance Preparing for CMMC Certification

Navigating the CMMC certification process can feel overwhelming, but you don’t have to do it alone. At Agile IT, we focus on making this journey as seamless as possible for you. From scoping your CUI to managing your virtual desktop infrastructure, we take on the heavy lifting so you can focus on your core business. Our experienced team is dedicated to simplifying the CMMC assessment process and ensuring your organization meets compliance with confidence.

Contact us today to learn how our customized CMMC services can help secure your CUI, simplify the assessment process, and help you achieve certification without unnecessary stress.