When is Encryption Enough?
Based on the LinkedIn exchanges of views on encrypted CUI and covered systems linked below, I have, as promised crafted an input to the DoD asking for clarification on whether or not a system that only contained fully and appropriately encrypted CUI information, is in fact a covered system.
I apologize for dumping another serious question onto you guys, but the DIBCS Small Business Working group reminded me just Wednesday that your org is a resource for addressing these sorts of questions.
I have one that I feel is a very significant one for the DIB with a great many, broad implications depending on your answers. I hope that you will consider adding your answer to the FAQ for use as a reference. This is not a question for a particular instantiation. This is a question for architectures broadly.
This boils down to is Cloud data environment that is not Fedramp, and is not 7012 C-G requirement compliant, such as Microsoft O365 commercial use allowed for a DIB contractor IF the CUI data stored in that environment is APPROPRIATELY ENCRYPTED? See the LinkedIn Commentaries here, and here for additional background. Be sure to click “load previous replies” a number of times to see the entire string.
Under the future of DIB Cyber of course we will have independent assessors evaluating our architectures and making this call based on a holistic set of data. What I consider to be a strong section of the professional community however has had multiple long social media exchanges with highly qualified professionals arguing that systems are covered systems (as DFAR defined) and not covered in this scenario. These included assessment companies, CISO’s, provisional assessors, and members of the AB Board. We did not reach a consensus.
DFAR’s 7012 defines “Covered contractor information system” as “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” For brevity, it touches CDI/CUI.
Is an information system “covered” if it holds only appropriately encrypted CUI? Let us take the below example:
In this scenario, is Switch C a covered system? It transmits fully encrypted CUI.
Now consider that if the answer to this question is Yes, then you just outlawed all internet transmission of any CUI whether it is appropriately encrypted or not.
Let us consider a second case.
We transmit, in a FIPS validated and encrypted manner, CUI to a CSP where it stays encrypted and is later removed still encrypted. A couple of scenarios where this might be applicable is where you have a super-encryption capability locally for CUI, or you encrypt backups and then transmit those encrypted backups to the CSP for long term storage. This is exactly the scenario discussed in the second LinkedIn thread. The presumption is that the CSP does not perform the encryption and does not have the encryption keys (ie it cannot unencrypt the information). Encryption is performed locally by the contractor in a FIPS Validated fashion. Is the CSP a covered system?
I would argue that this is no different than the switch example. Yes, it handles encrypted CUI information, but the encryption is the protection, and therefore the CSP in this case is not a covered system. If unencrypted CUI lands on the CSP, that is a different scenario and in that case, it would be a covered system.
Final scenario. If an appropriately encrypted email transits the O365 commercial architecture, is that O365 commercial system now a covered system, and by definition not compliant since O365 commercial does not meet the required DFAR standards? Again, the information on O365 commercial is encrypted appropriately by the government employee to the contractor where, on the endpoint (which is a covered system) it is decrypted locally using a Medium Assurance Token (commercially available encrypted token that interfaces with CAC encrypted tokens). This is a “the email server is in the cloud” scenario. Again, I would argue that the cloud server is not a covered system because it is not receiving, storing or transmitting unencrypted CUI. The rule however does not speak to encrypted or not encrypted and you can make the argument this is a covered system.
Strategically the implications of concluding that in these scenarios the systems are all covered are enormous. In the scenarios above, in my view, encryption more than adequately protects the confidentiality of the CUI in question. If we define these as covered systems we are laying, literally billions of dollars of additional expense on much of the DIB (migrating is expensive and the additional costs are 3x to 8x commercial), and doing so in a fashion that adds little or nothing to our mission of actually protecting the Departments sensitive information.