How Microsoft’s Secure Enclaves Can Help Achieve CMMC Compliance

Organizations working in the military industrial base follow rigorous cybersecurity policies to ensure national defense strategies don’t fall into the wrong hands. U.S. Department of Defense (DoD) contractors and companies in the supply chain are all tasked with adhering to the Cybersecurity Maturity Model Certification (CMMC) framework. Companies that benefit from lucrative government contracts must also demonstrate compliance in a timely manner. Although staying in CMMC compliance can prove challenging at times, the use of Microsoft’s Secure Enclaves helps overcome obstacles and keep sensitive data more secure than ever before.

Let’s explore how Microsoft’s secure enclaves — such as Azure Confidential Computing and Trusted Execution Environments (TEEs) — can help businesses meet CMMC requirements by providing secure, isolated environments for processing and storing Controlled Unclassified Information (CUI). By better understanding what the DoD expects in terms of CMMC compliance and the way Microsoft’s Secure Enclaves works, industry leaders can make informed decisions about whether to level up their cybersecurity posture.

Understanding CMMC Compliance

The need to come into compliance with CMMC has been coming for a long time. Based largely on National Institute of Standards and Technology (NIST) guidelines, the federal government began its first big rollout in 2020. A change in administrations and a review of the cybersecurity policy prompted a second incarnation, CMMC 2.0, with a final rule being promulgated in October 2024. As of December, companies need to adjust their digital security to fall within the parameters of one of the following three tiers of CMMC cyber-hygiene.

Level 1 (Foundational)

The focus of the lowest CMMC tier involves protecting Federal Contract Information (FCI). Maintaining Level 1 compliance entails implementing 17 security measures taken primarily from the Federal Acquisition Regulation (FAR). Many of the outfits that fall into this tier work in the supply chain and require basic cybersecurity measures. Things like network and data access control, enterprise-level firewalls, anti-virus software and other common business security measures are essential. An operation required to meet Level 1 standards can conduct a self-assessment based on CMMC metrics and report the findings to the federal government.

Level 2 (Advanced)

An enterprise that handles Controlled Unclassified Information (CUI) must implement 110 practices based on NIST SP 800-171. The more stringent cybersecurity procedures are designed to detect and repel more sophisticated threats. Adopting security measures such as multi-factor authentication, zero trust architecture and encryption supports Level 2 compliance. Some operations may be able to self-attest, while others are required to undergo an independent assessment from a Certified Third-Party Assessor Organization, or C3PAO, as cybersecurity insiders like to say. This is also where Secure Enclaves come into play.

Level 3 (Expert)

At the highest CMMC tier, military contractors and others handling CUI are required to comply with a full complement of practices and controls based on NIST SP 800-171 and NIST SP 800-172. Companies must demonstrate an ability to detect, deter and repel advanced persistent threats, including those directed by well-funded and sophisticated nation-states. Cybersecurity measures such as zero trust, threat-hunting and encryption are fundamental aspects of CMMC Level 3 compliance.

Importance of Protecting Controlled Unclassified Information

Safeguarding CUI and FCI are the stated goals of the CMMC 2.0 policy. Depending on the data’s content, this information holds clues or keys to national security programs. Adversaries, such as China, Iran and Russia, among others, invest heavily in hackers and cyber-espionage to breach governmental networks and American companies. They harbor hopes of getting tidbits of data that help uncover the DoD programs and plans that help keep everyday people safe.

Before CMMC was launched, defense contractors and businesses in the military supply chain routinely let their cybersecurity posture slip. Back then, the Pentagon would penalize companies for national security failures only after the fact. Today, CMMC 2.0 regulations call for proactive compliance score reporting and C3PAO assessments before an enterprise can participate. In other words, the break-and-fix model is a thing of the past.

What Are Microsoft’s Secure Enclaves?

A secure enclave isolates processes and data within a physical area of your hardware. Things such as a Central Processing Unit (CPU) or Security Operations Center (SoC) essentially serve as safe havens for legitimate network users to handle CUI and FCI without fear of hackers stealing these and other types of data. That’s primarily because Microsoft’s Secure Enclave prevents prying eyes from seeing it by keeping it within certain confines and encrypting the digital information.

It may be helpful to visualize a secure enclave like a black box. No one can see through its walls, and even if you stepped inside, the pitch darkness would not allow you to negotiate the space. Microsoft Secure Enclaves accomplishes these feats through isolation (Trusted Execution Environments) and encryption (Azure Confidential Computing).

How Does Confidential Computing Work?

This cloud computing technology allows organizations to effectively quarantine data within a CPU while in use. The computing functions are rendered confidential because only the individual with privileged access can interact with the files. Taking that one step further, only the authorized user can even see the items being handled. If this concept seems overly theoretical, consider it through the lens of other more common data security methods.

A virtual private network is designed to allow remote workers to connect to networks using Wi-Fi that cannot be seen by hackers. The idea is to hide in plain sight as would-be online criminals monitor the public internet provided in coffee shops, among others.

By that same token, the isolation aspect echoes the zero-trust architecture advocated by the DoD, which also supports CMMC compliance. Just as zero trust programs use microsegmentation to place digital firewalls and other barriers, confidential computing technologies keep it within the confines of CPUs and SoCs.

How Do Trusted Execution Environments (TEEs) Work?

A trusted execution environment is akin to a technical term for a secure enclave. A TEE serves as a partition, wall or black box, if you will. These secure locations often enjoy dedicated memory and may run a distinct operating system, called a Trusted OS. The secure applications used within the TEE safe havens are usually referred to as Trusted Applications. They are typically not available throughout the organization’s digital ecosystem. This facet ensures that outside forces cannot manipulate the applications or use them as unsecured entry points.

If you are an industry leader deciding whether to invest a portion of your managed IT and cybersecurity budget into Microsoft Secure Enclaves, you may think the added measure is already reflected in other cyber-hygiene efforts. To some degree, that assessment holds true. However, secure enclaves provide the next logical step toward preventing threat actors from stealing national security information.

Backed by bottomless financial support from rogue entities, cyber-espionage criminals are devising ways to overcome multi-factor authentication, zero trust architecture and every enterprise-level firewall and anti-virus application on the market today. Before these unscrupulous individuals figure out a new scheme, secure enclaves do the following. They demonstrate that U.S. companies are playing chess, not checkers. Secure enclaves provide the cybersecurity necessary to meet stringent CMMC 2.0 regulations. And lastly, this cybersecurity defense proves highly successful at frustrating insider threats.

The Growing Problem of Insider Threats

Discussions about so-called “insider threats” have a tendency to become uncomfortable. The gut reaction to bringing up the topic with many business professionals circles back to trust. Few industry leaders want to go on the record stating they don’t trust employees and key stakeholders. Unfortunately, approximately two-thirds of companies reportedly experience more than 21 insider incidents on an annual basis.

It’s essential to keep in mind that insider threats are not necessarily disgruntled employees or people who made a poor life choice. In the military industrial base, foreign nationals routinely attempt to infiltrate private-sector organizations that handle CUI and FCI, as well as high-level intelligence. Once a bad actor gains legitimate access to a network, confidential and sensitive data can be exposed.

For organizations that rely on cloud-based infrastructure, wide-reaching individuals may possess the authorization to access business networks, unbeknownst to leadership teams and chief security officers. Given that upwards of 95 percent of all cyberattacks are reportedly motivated by financial gain, the value of military intelligence can drive people with weak constitutions to commit cybercrimes. Setting aside the fact that human error continues to present a vulnerability, it’s easy to see why secure enclaves offer a cure to these ills and a pathway to CMMC compliance.

How Secure Enclaves Support CMMC Compliance

Secure enclaves do not necessarily provide critical differences between effective security measures such as zero trust, SoCs and other approaches. Instead, they help harden elements of the attack surface that were previously exposed as a vulnerability. Yes, the chance of an authorized cloud administrator targeting a DoD contractor or supply chain operation is probably minuscule. But finding cracks in cybersecurity defenses is precisely what nation-state threats get paid to uncover. These are ways secure enclaves help members of the military industrial base meet CMMC regulations and pass assessments.

Simplified Cybersecurity

Digital security experts continue to seek innovative ways to deter, detect and repel advanced persistent threats. Some approaches are complicated, cumbersome and challenging to implement. Microsoft’s Secure Enclaves simplifies data security in a variety of ways. Much of the hardware is ready to adopt isolated areas where encryption can take place. Rather than worrying about hackers peeping inside or successfully pulling off a breach, they cannot make use of the CUIs or FCIs unless they have a decryption code. Secure enclaves can process and secure fully encrypted sensitive data.

Streamlines Assessment Process

Organizations that fall into the Level 2 and 3 tiers will likely need to bring in a C3PAO to conduct an impartial CMMC audit. Although Level 1 and some Level 2 operations are allowed to self-attest and file the results with the federal government, many partner with a certified cybersecurity firm to get it right. Not meeting CMMC regulations can leave a business sidelined, losing revenue until the vulnerabilities are cured.

That being said, adopting secure enclave measures demonstrates proactive data protection. Shielded from incursions and insider attacks, a C3PAO will have little difficulty certifying the organization.

Cost-Effectiveness Data Protection

By refocusing CMMC compliance efforts, secure enclaves typically reduce the implementation costs associated with broad data protection strategies. Using hardware previously designed to accommodate this approach, the cybersecurity solution slims down the way companies safely handle CUI and FCI. Rather than deter, detect and expel threats, secure enclaves allow outfits to handle sensitive information while hiding in plain sight. Along with easing the assessment efforts, these encrypted black boxes can replace outdated cybersecurity programs.

Minimize The Attack Surface

Consider how expansive your operation’s attack surface has become in recent years. Remote work has become the norm, allowing network users the ability to log in using wide-reaching endpoint devices. Employees, vendors and independent contractors will sometimes use unsecured public internet, creating an unknown vulnerability. While cloud security has become a priority, sensitive data is no longer in a single location.

Adopting secure enclaves doesn’t reduce the physical or cloud-centric attack surface. In theory, it eliminates it altogether. Data storage and processes take place in a black box that may as well be a black hole, as far as hackers are concerned. Delivering end-to-end encryption in a secure location that affords users confidential computing, Microsoft Secure Enclaves also works seamlessly with tools such as Defender and Sentinel.

Red River Implements Secure Enclaves Solutions to Support CMMC Compliance

Protecting valuable and confidential data grows increasingly difficult as advanced persistent threats revise criminal schemes to steal national security intelligence. At Red River, we work diligently with companies supporting the country’s defense by helping them implement decisive data protections such as secure enclaves. If you are interested in learning more about Microsoft’s Secure Enclaves, Red River has solutions. Contact us today, and let’s get the process started.