CMMC Compliance – Data in Transit
Encryption is one of the most important requirements of the Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) framework. Every defense industrial based (DIB) organization is required to deploy encryption across all systems which store, process, and/or transmit controlled unclassified information (CUI). This requirement is meant to help protect DIB organizations from costly data breaches and to help further secure the DoD supply chain.
Data in transit, or data in motion, is data actively moving from one location to another (such as across the internet or through a private network). Data protection in transit is the protection of this data being transferred from a local storage device to a cloud storage device.
Data in transit containing CUI, if unprotected, is vulnerable to data leaks which could allow adversaries access to the keys of the kingdom. When you send an email with CUI, it is critical the body and attachments remain secure. The best way to ensure this objective is through the use of an encryption platform that integrates with your existing systems and workflows. The most well-known method for encrypting data in transit is Transport Layer Security (TLS). TLS is a cryptographic protocol designed to provide secure communication across a computer network.
One way to achieve the appropriate level of encryption is to implement IdenTrust ECA Digital Certificates across your organization. IdenTrust is an approved provider of DoD ECA (External Certificate Authority) certificates that can be used to enable cryptographic protection of transmitted data. ECA certificates are individually issued digital identity credentials intended for the DoD DIB community. DoD DIB organizations can use these credentials to meet CMMC requirements for safeguarding sensitive and unclassified DoD information to:
- Digitally sign and encrypt emails and documents
- Ensure only intended recipient(s) can decrypt transmitted data
- Ensure integrity of encrypted information (meaning it has not changed since encryption)
- Ensure the identity of the sender of the information
Leveraging IdenTrust further enables DoD DIB organizations to achieve compliance with DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”, which mandates the reporting of cyber incidents to the DoD within 72 hours. A DoD ECA certificate is required to authenticate a user/machine (from the affected organization) to the DoD Incident Reporting website – https://dibnet.dod.mil/portal/intranet/.
If you or your organization are interested in learning more about how to satisfy data in transit compliance requirements, or other security controls required by DFARS or CMMC, please reach out to your cybersecurity experts – Mission Multiplier – at firstname.lastname@example.org.