CMMC Compliance Made Easy: How We Created an Enclave for Secure Research That People Actually Love Using

The University of South Carolina is in the process of strategically positioning itself as a research-oriented hub of innovation that is ready, willing, and able to accept new government grant projects, with an eye towards building a reputation in this area. More than $55 million in research funding has come in from government and industry partners in the past year, and the College of Engineering and Computing, specifically, has seen a 170% increase in federal funding for projects addressing national security and resilience in the past six years.

To support this push, the university’s Research Computing department tasked my colleague, Systems Architect, Marshall Hollis, and me as chief architects in building a greenfield deployment of a secure online collaboration environment for researchers and faculty. A key requirement of this environment was that it meet the compliance requirements of the Cybersecurity Maturity Model Certification (CMMC).

An environment that other departments can use
The CMMC, based on Special Publication 800-171r2 published by the National Institute of Standards and Technology (NIST), is a unifying standard and certification program to ensure that Department of Defense (DoD) contractors properly protect sensitive data. It’s very stringent. With about 50 researchers and faculty members needing access to the sensitive resources, it didn’t make sense to apply CMMC-level security to the entire university. 

Our solution was to create a secure and CMMC-compliant environment with the flexibility to extend the same zero trust security approach to users in any department at our university with similar needs. We call it the Carolina Enclave for Secure Research (CESR).

It works in today’s work-from-anywhere world
We started the project prior to the pandemic, when people were working from their offices and laboratories. When the project was initially being scoped, it was proposed that the environment would block internet access entirely, as a security precaution. 

But things got complicated during the pandemic when remote work became necessary. It became increasingly clear that blocking the internet altogether was unrealistic and impractical. Post-pandemic, researchers wanted the freedom to continue working remotely—from home and when on the road at conferences—in addition to working at their on-campus offices and labs - all with the online collaboration tools they had become accustomed to. 

Goodbye to the rigid, burdensome, and noncompliant environment of the past
The environment that carried us through the pandemic (which we had originally set up for this research) was very locked down. Users had to go through a two-factor authentication process every time they needed to get into a given area of the environment. If researchers needed a site to be unblocked, it had to be done individually through a centrally managed ticket process that served the whole university.

The environment was not only burdensome and inefficient to users; it still lacked key security features such as data loss prevention (DLP). It didn’t block third-party mail services and file-hosting services, which are easy vectors for attackers to exfiltrate data. Most importantly, our existing VPN did not meet the encryption requirements of CMMC. 

Easy to deploy, support, and scale
We needed a solution that would prevent data exfiltration while still allowing internet access, but one that was easy to deploy and manage since our staff resources are limited. We didn’t want any onsite equipment to maintain or support. And it needed to be scalable and work in the offices, research labs, and homes of our graduate students and faculty.

After evaluating possible solutions, we decided to build our Carolina Enclave for Secure Research on the Zscaler Zero Trust Exchange platform. It provides seamless direct-to-cloud access to approved online resources and SaaS applications while ensuring the safety and integrity of sensitive government data. 

Everyone loves it
Our users are thrilled with how fast and easy it is to gain access to sites that are necessary to their research projects and with overall improvements in user experience. They no longer have to worry about a complex set of rules when they log on to work. Now, they can just open up their laptops and start working. The security boundary is more complete and definite, but the users are not even aware, so now they can concentrate on their research and not on the environment, no matter where they are.

From a deployment and implementation standpoint, Zscaler has been a huge time-saver. We’ve sped up onboarding of new researchers from a couple of weeks to a couple of days. It has really cut down on complexity both on the implementation side and on the user side while also improving our security posture.

Built for the future
Moving forward, we feel confident that compliance with the new CMMC 2.0 requirements should be straightforward, since Zscaler solutions are authorized by the Federal Risk and Authorization Management Program (FedRAMP) and for DoD IL5. As our college continues to grow its reputation in projects involving sensitive government data, our environment is ready to grow with it. The Zscaler platform helps our college compete for government-funded projects and build our name in the industry as a trustworthy steward of sensitive Controlled Unclassified Information (CUI).

Read the case study to learn more details about how cloud-native Zscaler Zero Trust Exchange checked all the boxes for the University of South Carolina’s Enclave for Secure Research–from alignment with DoD compliance requirements and protection of highly sensitive data to a seamless user experience and simplified management.