CISSP · Question #1209
A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client's Controlled Unclassified Information (CUI). What encryption strategy
The correct answer is B. Perform logical separation of program information, using virtualized storage solutions with built-in. For protecting CUI data at rest efficiently and cost-effectively, logical separation combined with virtualized storage solutions that include built-in encryption provides targeted protection without over-engineering the solution.
Question
Options
- APerform physical separation of program information and encrypt only information deemed critical
- BPerform logical separation of program information, using virtualized storage solutions with built-in
- CPerform logical separation of program information, using virtualized storage solutions with
- DImplement data at rest encryption across the entire storage area network (SAN)
How the community answered
(27 responses)- A19% (5)
- B59% (16)
- C7% (2)
- D15% (4)
Why each option
For protecting CUI data at rest efficiently and cost-effectively, logical separation combined with virtualized storage solutions that include built-in encryption provides targeted protection without over-engineering the solution.
Physical separation is costly and operationally inefficient, requiring dedicated hardware for CUI storage, and encrypting only 'critical' information may leave CUI inadequately protected and non-compliant with contractual requirements.
Logical separation using virtualized storage with built-in encryption is the most efficient and cost-effective approach because it leverages existing virtualization infrastructure capabilities to apply encryption specifically to CUI data segments without requiring additional hardware or broad encryption overhead. This aligns with NIST SP 800-171 and CMMC requirements for protecting CUI by scoping the encryption boundary appropriately. Built-in virtualized encryption reduces licensing and operational costs compared to third-party or full-infrastructure solutions.
While similar to B, this option implies virtualized storage solutions without the built-in encryption component, meaning additional third-party encryption tools would be needed, increasing cost and complexity.
Encrypting the entire SAN is overly broad and cost-prohibitive, applying encryption resources uniformly across all data regardless of sensitivity, which is neither efficient nor targeted to the specific CUI protection requirement.
Concept tested: CUI data at rest encryption strategy for CMMC/NIST 800-171 compliance
Source: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.