What You Need to Know About Computer Encryption for CMMC Compliance
Leia Kupris Shilobod, CCP, CISM
Chief Security Officer | Author | Speaker | CMMC RPO & CCP | IT Princess of Power | SuperWoman
A question our?Clients?ask all the time is, "Do we need to encrypt our computers for CMMC compliance?" The short answer?is?it depends. You must start with identifying the level of certification you need, as well as where and how CUI is stored.?
If you are in the DoD Supply Chain and handle CUI, you must certify at CMMC Level 3 certification or above. The CMMC and NIST 800-171 explicitly states that media were CUI is stored must be encrypted.??
So,?if you store CUI on your?on-premises?server, the server must be encrypted. If your staff in quoting is handling that CUI on their computer to quote the job, their computer must also be encrypted.??
If you have connected computers across the network, but they?don't?explicitly handle CUI, then they technically don't have to be encrypted, but let's think about this for a moment...??
It is possible that CUI may end up on one of those computers at some point.?It's?also going to be harder to manage and remember which computers should be encrypted and which should not. And encryption is just a best practice in cybersecurity, so we do recommend that all computers and servers that are company assets are encrypted.?
Another question we often hear from our?Clients?is: How should we encrypt our computers and servers???
The great thing about Windows 10 is that the OS comes with Microsoft BitLocker built in.?All you need to do is turn on BitLocker, and it will automatically encrypt your entire operating system drive.?It's?best practice to also enable encryption for any external hard drives that are being used with Windows as well.?
If?you're?not using Microsoft devices, or if your computers aren't running Windows OS then we recommend looking at third-party software such as Beachhead or TrueCrypt.??
But before you rush out and press the "encrypt now" button, remember that a special key will be?generated,?and you'll need a secure place to store this.?
领英推荐
Servers can be a little?trickier. All your data lives there, and the device is critical to your business operations. If you?don't?do it right, you could lose access to all your data and applications.??
Windows Server operating systems also come with BitLocker, and you can still choose a?third-party?encryption software, but there is?a?far easier method: self-encrypting hard drives.?
Self-encrypting hard drives use the encryption keys as part of the hardware. This means that?it's?not possible to turn off or remove the drive unless you have physical access and know how. And if a hacker does get inside, they?won't?be able to see your data without this key because there is no way for them to bypass the self-encrypting technology.?
But?don't?stop there. Inventory every device in your computer that holds data and determine how to encrypt it. Some devices (like Apple's iPhone) come encrypted out of the box. Other devices need to have encryption turned on.??
Bottom line: In this age of increasing threats, encrypt everything.?
LEIA SHILOBOD – CEO of InTech Solutions, author of Cyber Warefare: Protecting Your Business From Total Annihilation and The Three Indisputable Rules Every Manufacturer Must Know Before Purchasing Any IT Product or Service.
As a cyber security advisor, Leia speaks frequently at venues and events such as Harvard, Pennsylvania State Department events, and Accounting and Manufacturing industry events.
Also know as the “IT Princess of Power”, Leia saves mid-market firms from hackers and keeps them compliant by delivering enterprise-class IT security solutions that would otherwise be cost prohibitive.
Information Technology Professional
1 年You state..."So,?if you store CUI on your?on-premises?server, the server must be encrypted". Could you provide source for that? NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, page 132, 3.13.16 states "CUI can be stored at rest in any non-mobile devices or data center, unencrypted, as long as it is protected by other approved logical or physical methods" and "...encryption is an option, not a requirement". Is that document outdated?
M&A Broker + Vision + Strategy Leadership + Culture + Podcaster | Growth & Leadership Coach | Hall of Fame Athlete
1 年Great article Leia Kupris Shilobod, CCP, CISM !
VP Cybersecurity Compliance; QTE, CISM, CRISC, CMMC Lead CCA and PI; Insider Threat Vulnerability Assessor and Program Manager
3 年Leia Shilobod great article. And I agree, it's so much easier to encrypt every device vs tracking where CUI is going after the fact.