‹ All episodes

Reckless Compliance

Enclaves in the Era of CMMC with Reuben Patton


Long Description:
Max Aulakh invites Reuben Patton to discuss the implementation of enclaves in the context of CMMC (Cybersecurity Maturity Model Certification). Reuben, with his experience in both the classified sector and cybersecurity, provides insights on how enclaves, traditionally used in classified environments, are now being applied to manage CMMC requirements. He dives into strategies for handling Operational Technology and Research & Development in relation to CMMC, discussing the challenges and considerations of incorporating these areas into compliance frameworks. The conversation also touches on the practicalities and complexities of managing enclaves, offering valuable guidance for organizations navigating CMMC compliance.

Topics we discuss:

  • Understanding Enclaves
  • Enclaves in Operational Technology
  • Strategic Implementation of Enclaves

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website


Max Aulakh: [00:00:00]
Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com if you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you’re a security pro within the federal space looking for a community, join us.

We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF,  DISA, STIGS, Sapsars, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one.

And now, here’s the show. 

Hello, everyone. Welcome to another episode of Reckless Compliance. Today we’re going to talk about enclaves because everybody is, has heard of this term and is wondering how do we set up enclaves in the era of CMMC. We’ll learn about why are they used, what’s important about them, things like that.

I do have one of my friends on with me, his name’s Reuben Patton. He’s been working on the classified side, and a lot of this thinking about enclaves really comes from the classified side, but now it’s being applied on the CMMC side in order to get through some of these processes. I’ve seen a lot of big companies, our last episode, one of our CISO guest, Anthony, he talked about enclaves at Battelle, and we’ve got a lot of smaller organizations.

That have applied this concept. So without further ado, Reuben, welcome to the show and how are you doing today? 

Reuben Patton:[00:01:36] 
I’m great, Max. That’s great to be here. I appreciate the opportunity to sit down and have a conversation about this area of enclaves within CMMC, what that mean and you know, how, how can organizations take advantage of it. Right. So I’m super happy to be here. 

Max Aulakh:[00:01:51] 
Yeah, absolutely. And I appreciate you coming on, this for those that are listening. Reuben, tell us a little bit about yourself, just a little bit of your background and how did you learn about this Enclave approach and, and where are you working and where have you worked before?

Just tell us a little bit about yourself. 

Reuben Patton:[00:02:07]
Sure. Yeah. So I started as a DOD civilian way back in 2010 looking for a intelligence community. DoD I C intelligence community organization. And I didn’t really realize that at the time when I, when I first started kind of working, I was doing a lot of reverse engineering of malware and things like that, and I didn’t actually, you know, put the two and two together that the area networks and things like that, that I was working on in order to do reverse engineering of malware were actually considered to the to the classified side.

Right. So. I hadn’t put all that together at that few years later, ended up working in and doing some IT work for the same organization and then eventually moved into cybersecurity for that same intelligence organization. So, then all of a sudden it, it really kind of clicked for me to put all of it together and realize, You know how it all kind of plays together from a classified perspective.

I ended up being a security control assessor for the IC organization and really learned a lot some great mentors there as well to kind of help me get going. And then I realized, man, the depth of this. And how long they’ve been doing this on the classified side not only enclaves, but also, you know, just general RMF, you know, NIST 800 53 type stuff.

From there moved into systems engineering, did some got my master’s degree over at the Air Force Institute of Technology, and really started to kind of figure out, With the engineering side of cybersecurity into work. It was a lot of fun. There’s a lot of work to say the least, but essentially ended up moving over to a a DOD contractor and try to do very similar things for them on the classified side, and then finally found myself in a, in an opportunity to do things on the unclass side, and this was several years ago, CMMC was really just kind of starting to be born, you know, they, they were starting to realize that, like, hey, we, like, we need a way.

Right. It actually holds some of these, you know, the contractors accountable for the things that are in their default. Right. So, like I said, found myself on the unclassified side, then realizing, you know, that the entire experience that I had had since 2010. It’s really kind of all playing in all at the same time, right?

Everything that you learn from 853, right? You know, kind of dive straight into 171 and then, you know, how the categorization works, you know, all that kind of stuff, right? And then how do you deal with what may not necessarily be in scope? Right. And then how do you define the scope? I mean, there’s a lot of talks out there right now about defining the scope boundary and all those kind of things.

You have to do all that kind of stuff, but what happens with the remainder, right? What happens with the leftovers, the assets that currently aren’t necessarily, what do you, what do you do with it, right? Or what do you do if you have, you know, a relatively small CMMC scope, So, 

Max Aulakh:[00:05:09]
yeah, no, Reuben, let me jump in here because I think you’re getting into some of the key areas that I actually want to explore at a greater depth, but funny that you mentioned about, I see, I spent some time at NASIC and I think like 10 years ago reverse engineering was huge because we had all these desktop apps and things like that, right?

And I know the NSA, they’ve released Ghidra which is a competitor to IDA Pro, which was like the tool to use back in the day. and I think we’ve seen a lot of shift into the cloud, right? And so now the landscape has changed. But I appreciate, you know, a lot of the time that you spent there because I was on the ground too, worked at NASIC, right?

And so we probably have a lot of shared connections and whatnot. This Enclave stuff, right? So now bringing all of how some of these operations, which are painful and on the classified side, right? They’re very painful. You get out on the outside where you have to do R&D and those kinds of things.

So to start off with, like, how would you define, like, what is an enclave? Why would you even do that on a strategy for the business environment? Cause for the government, that’s like a normal talk track. They understand it, right? How does it, what is an enclave and why is it really important for, for CMMC in your mind?

Reuben Patton:[00:06:24]
Yeah, from a corporate perspective, an enclave is something that is either logically or physically separated, you know, from, What you would call your general support system, for example, or, you know, and maybe that’s the reverse, right? Maybe you have CUI and CMMC in a small enclave and your GSS doesn’t handle any, any CUI in any way, shape or form.

I think most people are finding themselves Which is most of their GSS, at least for DOD contracts, right? Most of their GSS has probably got some sort of FCI, CUI, ITAR kind of data on it. And they’re figuring out relatively quickly that Wow, my, my boundary is a pretty good size, right? But do I really want to put my R&D assets?

And my go out to the internet, play and have a whole bunch of fun, you know, generating all kinds of AI algorithms and things like that, you know, putting. A ton of research and development, personnel and, you know, resources towards you know, making the DOD better, right? In order to be able to, or even just corporate, right?

It doesn’t necessarily have to be the DOD, but just corporately and in general, things that you want to be outside of your You know, see why FCI type boundary. What do you do with those? And then what is the transition plan between potentially when assets move or services move or delivered right between the two boundaries?

It gets complicated pretty quickly. The DOD figured this out really quickly and came up with cross domain solutions on the classified side, right? But very few contractors and very few organizations, in my opinion, are going to go down the cross domain solution route. Yeah. It’s variable. I think 

Max Aulakh:[00:08:15]
the funny you bring up CDS or cross domain, but I see that, that as a potential future market, because one of the talks I’m doing is around declassifying a CUI, if such thing exists, which it doesn’t.

And I know on the classified side, that’s a normal practice. You know, how do you downgrade information? But when it comes to this enclaves, one of the things you said that’s very interesting is that most defense contractors, it’s actually their general support system that is under scrutiny, their email system, their printers, that’s where CUI flows.

And then of course, for R&D, you know, you would not want that as part of your general scheme either, where most of the time it can be cost prohibitive and things like that. What about machines? Right? Because we work with a lot of, there’s a lot of manufacturing that happens, you know, and they don’t have a cybersecurity professionals who have worked at NASIC done reverse engineering.

They don’t have that kind of talent, right? These are just blue collar. Manufacturers facilities, or they’re sophisticated, but they just don’t work with the defense. They work at the make ATM machines or whatever, right? Have you seen importance of enclaves applied to operational technology or CMMC or similar?

Reuben Patton:[00:09:28]
For sure. I mean, SCADA has been around for a long time, right? And the enclave idea has been out there for quite a while. SCADA systems typically are sitting on their own sort of, whether you want to call it a separate IP space or, you know, VLAN or, you know, something to that nature, potentially even a completely entirely different domain, right?

To kind of keep those two GSS and SCADA systems sort of separate. The problem is, if you want to transfer data back and forth, how do you do that, right? Do you sneaker net it over, right? Take it out on a, put it on a thumb drive and then, you know, move it across, you know, not normally that’s super cost effective.

So there’s got to be some sort of way to where you can develop a process, whether it be You know, subscribing to specific, you know, data transfer services or whatever, whatever it might be, but also being able to maintain a particular boundary for things like the like I said earlier, most organizations are, are in one boat or the other, right?

Either the GFS and CUI on it, or they’ve got 15 machines. Max, right? That have CEY on it. Then what do I do? Do I do an entire package with the team machine? According to DIPCAC you do, right? Yeah. I think that’s the 

Max Aulakh: [00:10:47]
predicament a lot of people are in. I know the proposed rule right now, they’re kicking the can down the road when it comes to operational technology.

They’re kind of just saying like, at least that’s what I read. Add it to your SSP, but don’t do anything about it. Right. Like add the inventory to your SSP, but don’t do anything about it. But knowing the behavior of the government, once they see it, they’ll be like, Oh, we got to do something about it. 

Reuben Patton:[00:11:11]
Yeah. I want to pull on that thread of, you know, adding a DRS SP, right. And again, this is a personal preference, right? This is an opinion. So for non CUI assets, that. May or may not be in their own sort of enclave or IP space or however you want to define it. In my opinion, you got to have it in your inventory, right?

You got to be able to do, you know, patch management on it. You got to be able to do all the things to keep it Right cyber secure, but it’s all 

Max Aulakh: [00:11:38]
on fault, right? 

Reuben Patton: [00:11:39]
Yeah, but as far as You know, actually adding it to a, a CMMC package, I think it’s, I think that might be a bridge too far. I really do. I think you’re going to find the conversations and the arguments that you’re going to have with an assessor is going to be really, really tough and complicated, right?

Because it’s. Well, yeah, this is our asset. No, it doesn’t process CUI, but it’s in our SSP, right? It’s in our security plan. It’s in, you know, everything, and it’s like, well, it’s definitely out of its inventory, right? You definitely want to maintain, you know, positive control on it. You want to patch it. You want to do all the things to do cybersecurity best practices.

But do you really want it in a package that honestly is not ever going to be, you know, do you want it assessed? Probably not. I mean, that’s why it’s in an on site. I think that’s the 

Max Aulakh: [00:12:29]
big question because you could end up with lots of separate little enclaves. You have your primary enclave, that’s the GSS, but that’ll be interesting because right now, as you know, Reuben, we’re like a 3PAO or FedRAMP, right?

We’re finishing out our C3PAO, those kinds of things. Yeah. Thanks. And when I’m reading the rule, it’s exactly that, like listed out on there. But I think that’s where it kind of goes back to, if it’s not the type of asset that processes this type of information, it shouldn’t be on there, but who knows?

Who knows what they’ll come up with. 

And we’ve talked about a couple of different ways to identify, right? Physical labels, you know, adding in you know, within your inventory, you know, labeling it with the inventory. You know, Hey. It’s not a CUI asset, plus a physical label on, on the machine, right? Hey, not authorized to process GUI, you know, things like that, that I think from an assessor perspective as a previous assessor, 

I would look at that and say, okay, you’ve made the attempt, right?

You’ve met the intent of the control that says, Hey, don’t process, you know, don’t store or process GUI on this machine, right? Or ITAR or whatever it might be, right? You know, part it’s completely separate. It’s an enclave that is not, you know, going to be processing cooing and therefore, you know, may or may not.

Obviously, you wouldn’t want to do a certification for pulling on the thread of what you mentioned a little bit earlier about the R and D side of things. We’ve teetered back and forth on how to handle R&D apps, right? Because if you go to your developers, they want unfettered access. Yeah, they want access to everything.

That’s what they want. They want, you know, free and open internet. They want to be able to download whatever they want from, you know, all the different libraries and, you know, all this, all this stuff. Which is great, right? That, like, that is the point of R&D. The question is maintaining enough oversight. On those R and D assets or R&D networks to ensure that when you begin processing potential, potentially processing see why now all of a sudden we’ve, we’ve got to move that, right?

We got moved either that asset or that work or whatever it might be into the CMFC boundary, right? And the process to do that is based on every organization. It’s going to be very organized.

I think you bring up an excellent point, right? Because you could have all of these operational technology enclaves or R&D enclaves, and they could be outside of the whole CMMC, but bringing those into the CMMC fit, you know, if it’s going to fit within the model, because it’s kind of a structured model, you know, you’ve got to have FIPS and you’ve got to have all these other things.

And that can be very challenging for a lot of businesses. Have you gone through that transformation yet? Where, or at least for an enclave or two, where, where you’re merging them together, right? Or bringing from one area into the other. 

Reuben Patton:[00:15:32]
Right. So perfect example of that is, You have a, an R&D network where all of a sudden you’ve kind of gotten your off a little bit, like, Oh, this might be marketing right to somebody.

Chances are you’re dealing, you’re potentially getting to the point where you’re, you might be flirting with CUI. This is how you’re going to market it to the government in some way, shape or form. Them giving you the government, giving you data to run your algorithm against or your, you know, your widget, right now, all of a sudden that widget or set of services are now producing CUI based on the fact that they gave you some government data to do that.

So a perfect example would be where we transformed and transmitted assets that were sitting in an R&D environment. And they had a very specific purpose. They were very specifically purposely built to handle high computing, AI algorithms. 

Max Aulakh: [00:16:31]
So here Reuben, you’re talking about like, when you say assets, you really mean like algorithms and data, those types of assets.

Reuben Patton: [00:16:38]
Yeah, so it could be everything. It could be algorithms, it could be data, it could be physical or virtual hardware, right? How do you take that, that’s firmly planted on one side of the fence, and growing really well, and now pick it up, transplant it on the other side of the fence, You’ve got to have a environment that is similar enough to where that tree will grow.

So, you’ve got to have very similar requirements and a process to move the tree from one side of the fence to the other. From your independent R&D to your Contractual R&D, for example. Now, all of a sudden, it’s processed in CUI. Now, all of a sudden, full set of 171 controls applied to it, but you’re not going to be able to do that if you don’t have environments that are close enough to where you can now apply those security controls, which is why it’s so, so important that, from an R&D perspective, you set out a template from an organization’s perspective and say, hey, at bare minimum, you’ve got to meet the requirements.

11 or 17 type controls. It’s not full 171, but at least if you meet these bare minimum ones, the transition from IRAD to CRAN is Much easier to make. And the, the data, the data ends up being able to actually be used on contract or whatever. It’s that so, so Reuben, whatever your widget 

Max Aulakh: [00:18:07]
is, yeah. You use a couple of terms.

So Irad meaning internal r and d, and then Crad being, or independent, but yeah, internal or independent. Internal. And then you have Crad, which is customer funded, customer r and d, those kinds of things. Or contractual RD. Either way. Yep. Okay. Okay. 

Reuben Patton: [00:18:24]
Basically the same thing. Yeah. I like what you, I like what you stated there because 

Max Aulakh: [00:18:28]
It’s like a tree, right?

You’re saying like you’re, you’re planted a tree on one side and you know, you got soil, water, and all of that. You got to have a process to uproot it and put it on this other side, which could be regular CUI and sometimes it can go beyond that, you know, into classified side, right? So tell me a little bit about like this template philosophy, right?

Like, or a base set of, you said like 10 to 17 controls, how do you decide which ones are important? And can you shed some light on how you guys may have done that over at Riverside or, or maybe even at NASIC or organizations that do R&D, which are a lot of universities, federally funded research institutions, right?

Mattel, I think everybody’s kind of struggling with, with this kind of challenge So what are some good templates or good way to kind of structure that side, you know, that isn’t, isn’t too hard on the developers, I’ll just say. 

Reuben Patton: [00:19:23]
Yeah. It kind of comes back to the requirements, kind of like we talked about earlier, right?

If you have any inkling that your independent research or, or internal research and development, but you want that at some point in time too. Potentially roll into a contractual or a customer R and D sort of perspective where you’re going to get data from somebody that is their data that they’ve collected for whatever means, obviously, unclassified data, but CUI data, basically, you’ve got to make sure that the requirements and the platform that you’re using in that The red type of environment are similar, close enough to your independent research 


Reuben Patton: [00:20:13]
when I say, you know, you asked some of the specific security controls, right?

You know, you’re, you’re big AC family, but of course, you’re not going to go through the entire, right? You’re going to go through things like multi factor authentication. Right. You’re going to go through things like secure, you know, code baseline, you’re going to have a CMTP, right? In some way, shape or form, you’re going to know, you know, what your changes are and how to track those.

And then also you’re going to have your, your typical logging and, you know, auditing and things like that that come into place. Sure. You may not necessarily be. Reporting those logs to a DOD type of institution, but you’ve got to be able to know where they are and how to trace them down and understand exactly what’s happening with your code or your widget or your device or whatever it might be.

Virtual is obviously a lot easier to do typically than physical hardware, but not everybody has those requirements. It doesn’t necessarily match with every use case. So a good, a good example of this is to bring 

you know, 

Reuben Patton: [00:21:22]
just a, a random organization that I’m familiar with. They took their widget basically SAS, right?

It’s software as a service. They took that and wanted to be able to, you know, shovel that off and make it, make it accessible to the government. Well, there’s a lot, there’s a set of requirements that you gotta go through in order to make that happen. Well, if you want to just host it on a government system, there’s a completely separate path than what it would be if you wanted to host it on, you know, Say your own virtual environment or whatever it might be, and they actually put that basically, if you can imagine the tree again, not only did they take the tree, they took all the dirt around it, right?

And it does the whole thing up, move the watering can like the whole nine yards broken, basically broke a place in the fence. And just scooted it over, right? They, they allowed they opened, you know, some, some ports and protocols and storage systems, things like that. They were allowed to be able to move it over.

Now, very important to have safeguards in place to ensure that other things don’t get through that. But then, after that was done, they were able to rescan their software as a service, rescan their code. And see if anything changed between the environment that they were in and the environment that they moved to.

Being able to say, hey, we know what changed, or nothing did change, is a huge benefit when it comes to hosting,

things out to the government. Whether it’s an application or a grant. 

You got to be, you got to be able to show traceability and traceability is always going to be huge and has been used for a very long time.

Max Aulakh: [00:23:04]
Yeah, no, I, I think I think those are some of the things when it comes to enclaves that becomes a challenge of maintenance, you know, in terms of. Okay, I built this great thing, and now I want to merge it into my operational environment. And I know Reuben, a lot of stuff you guys deal with is essentially building something very cool, and then if it works, you want to scale it, right?

And so now you’ve got to take this little enclave of R&D whatever it is, and, and make it into the normal part of, of business, right? So when it comes to enclaves and those kinds of things, have you seen companies apply it to CMMC? So just Talk about the unclassified side of how this might apply to like your normal GSS, right?

Let’s say you’ve got an organization who hasn’t really done any security all of a sudden, and now their core capability, emails and ventures, normal data processing, right? Have you had the opportunity, Reuben, where like that is the enclave, right? That’s basically what they are trying to figure out. How to work with the CMMC requirements because.

They’re not able to do that on their normal business operation because they’ve got so much legacy, you know, so much environment that it would be difficult to just fix. 

Reuben Patton: [00:24:24]
What I’ve seen in general is most organizations being able to find a platform that is FedRAMP compliant or something like that, right?

That, you know, the government has said, hey, if you use this platform, you meet all these security controls, right? We’ve already certified it. If you’re in it, there’s a set of requirements in order to get into it, but once you’re in it. You know, it’s kind of you know, there’s a lot of great collaboration tools, things like that.

One of the, one of the specific examples for like collaboration, things like that. It’s like the GCC High, right? That, that government basically cloud where, where they’re hosting, you know, essentially all Office 365 type services. That will get you 50 percent or more of the way there. If your enclave is your GSS, your general support system, or your collaboration environment, or whatever that might be, right?

That will, that will definitely get you at least 50%. Because, man, being able to take advantage of risk that has been mitigated for at least, you know, Measured to a certain extent and accepted by someone else, or at least part of that potentially passed on to you, man, that, that, that is a, that is a huge is a huge benefit, but there’s a lot of applications that aren’t in, in GCC high.

Right. Things like your, your payroll. Yeah. Yeah. Your, your payroll, your, you know, your, your timekeeping, your, you know, you know, your HR, your recruiting platforms, things like that. So. You’re looking for, you know, platforms that closely resemble some sort of FedRAMP type certification, which is, again, you’re looking for like ICD 503, you’re looking for, you know, some sort of 

Max Aulakh: [00:26:15]
FedRAMP equivalency as a new term being thrown around 

Reuben Patton: [00:26:18]
and, yep, yep, absolutely.

Because everybody’s, you know, like, what does that actually mean, right? Everybody’s got their own little take on what they think it means, and I guess we’ll see in the future, right, how, how right or how wrong we are, but but yeah, you get your, your primary collaboration tools and your, you know, how to do business tools.

In a, in a, either in an environment or at least, you know, purchase those tools that you know, are already fed ramp or similar compliant, you know, you’re, you’re, you’re in a high percentage of the way there the rest of it is all, most of, most of the rest of it is, is physical security types, things and training and personnel security, that is, you know, Honestly, it’s relatively 


Reuben Patton: [00:27:08]
considering all of the other things, right?

Either way, you still have to answer the security control, right? You still have to write the answer in. You still have to say, here’s how I’m doing access control dash one dot three A, right? Here’s how I’m doing authentication, multi factor authentication for each time. 

Max Aulakh: [00:27:28]
Yeah, I think one of the big misconceptions that we hear a lot is, You know, so there’s GCC High, Google has their own thing, right?

And then AWS, GovCloud is out there as well. Exactly. And then you have all these like, Deltac and different random applications that are just like, not really fed around at all. But one of the interesting thing is that when people take on this Enclave approach, the pre assumption or the pitch is, Hey, You’ll be near a hundred percent compliant, which is far from the truth, right?

Like you, you mentioned, Hey, yeah, it’ll get you halfway there. Like, you know, halfway to 60%, because there’s still so much more to do, at least for your primary enclave you know 

Reuben Patton: [00:28:09]
Which is why I highly recommend, right? I couldn’t highly more recommend that any sort of R and D that you’re doing.

You know, get it out of that CUI boundary as much as you can, right, and establish a process to move, whether it be software or hardware, which is data in general, establish a process to move it into the boundary when it’s ready, and when we know for a fact that That we’re ready to process QE on it because the fewer, the more things that you can sort of get out of the boundary that are, that have requirements on them for being open and free and, you know extremely malleable, I guess.

You want to try to take those out of that boundary if you can, 

if you 

Max Aulakh: [00:28:51]
can. Yeah, that makes sense. Well, Reuben, I know we’re coming to the top of the hour, but I wanted to thank you and then also wanted to ask you this one last question. So for those that are kind of going through this and they have never done this enclave approach, I guess, what are some helpful tips either from a engineering perspective or just process perspective that, you know, what are some key takeaways that they should be aware of if they’re going to.

Try to do this enclave approach. 

Reuben Patton: [00:29:20]
So that’s a twofold question, right? How do you, how do you do a CMMC enclave where there’s truly CUI in it, right? Oh, and then how do you do a CMM, a non CUI enclave where you’re trying to do R&D, right? Where you want things as free and open as possible. I can’t stress this enough.

Is to get a defined process to be able to traverse the boundary and the defined process, you’re going to need things like auditing and logging and documentation out the wazoo. And scanning, right? Those are the big ones that you’re going to do when you transfer things back and forth. As far as defining what you want, what assets you want in a, in a CUI environment, or what assets you don’t want in a CUI environment.

My recommendation is you’re doing any sort of R&D. I would do everything I could to get those out of the CUI boundary, put those in their own logically separated environment so that you can have oversight, but there’s no Not a massive amount of width of auditing, controlling, and all of that stuff that access control and physical controls, training and all the configuration management, like all that stuff.

You need to do a little bit of that in there so that you kind of know what’s going on in that general environment, but it’s not nearly as heavy as what you’re going to do when you, when you start doing this on CPC. You know, as a process, see why the reverse of that, if most of your stuff is all R and D and your smaller enclave is the UI, I would recommend subscribing to a cloud services, GCC high being one of them.

Try to figure out a way to where you can get a relatively smaller footprint, I guess, of CUI into a cloud service provider, if possible, right? The sharing of risk matrix is. Going to really benefit you in the long run. But again, you’ve got to make sure that whatever, whatever you’re doing on on laptop number one or device number two you are truly not processing CUI.

And I think we’ve kind of talked a little bit before about setting that example and setting a precedent with these assessors as they come in and understanding this is a CUI asset. This is not end of discussion. So I think we’re going to have to follow whatever precedents start getting sent early, because otherwise you can make a case for either direction pretty easily.

And that’s what’s going to be tough about being an assessor. 

Max Aulakh: [00:32:02]
I think it’s going to be really difficult to be an assessor and and and Reuben We just I just appreciate you coming on the show And i’ll definitely love to have you back on especially to talk about cross domains There’s a lot we can dig in in all these areas and and as we learn more as assessors I I think there’s going to be a heightened scrutiny.

So thank you so much for coming on the show And I really appreciate it. 

Reuben Patton: [00:32:25]
Absolutely. My pleasure, Max. It’s always a great time. 

Max Aulakh: [00:32:28]
Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless-compliance you’ll find notes, links, and additional content head over to iTunes to subscribe, rate, and leave a review.


Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More