Why CMMC Compliance Starts with Mobile CUI Security

Enterprise mobility is no longer a luxury, it's a necessity. But as employees increasingly use their personal devices for work, organizations face a critical challenge: how does one provide mobile access to Controlled Unclassified Information (CUI) without expanding their attack surface to every device. Many companies turn to Mobile Application Management (MAM) solutions, believing they are adequately protecting sensitive data. However, this approach can create a false sense of security, leaving the organization vulnerable.

Laura Schwab, Director of PR and Channel Marketing at Hypori, sat down with Matt Stern, CSO, to discuss how to provide secure mobile access to CUI and the critical flaws in relying on MAM solutions.

Q&A with Matt Stern, CSO at Hypori

Laura Schwab: Hey folks, my name's Laura. I head up PR here at Hypori and I've got Matt Stern, our CSO here today. We're gonna be doing a special edition of the Stern Report and we're gonna quickly just go over a few different topics that we've been hearing some questions recently about, including protecting CUI, the next big thing and the next big date when it comes to CMMC and also how we can address securing the supply chain.

So Matt, there's been a lot of discussions around the need to protect CUI, but at the same time, employees and corporations want to allow the convenience of mobile access and remote work. ‍With that in mind, How does Hypori protect CUI, give employees mobile access without putting companies at risk?

Matt Stern: So, we really have three main areas of how we protect data. Number one, the client that's on the end user device that accesses CUI information never has data on the device. We do not move the data back and forth. So all of that stays in the protected cloud. The app only allows you access to that information and you have a view into the world that is CUI protected.

Inside the environment itself, it's in a FedRAMP High environment that has all the protections and capabilities required to meet that stringent certification.

And third, when you're inside of Hypori, we call it a virtual workspace. When you're inside of that virtual workspace, you connect to the enterprise environment the way you would do it normally with all the security capability in place.

Laura Schwab: A lot of corporations are utilizing a MAM solution when it comes to providing their employees with mobile access, and they think they're protecting CUI. What's the issue with someone utilizing a MAM solution?

‍Matt Stern: Well, first of all, I just wanna say that, MAM is not exactly a secure solution for anything.
In the latest version of the Stern Report, I go into the details of why that is. But I would also bring up the point that once you use a MAM solution, the mobile user device is still in scope, and you've extended your attack surface to every device that you don't control and you're not sure is secure. 

So are you really protecting CUI?

Laura Schwab: So it sounds like, you know, with Hypori, you're out of scope with MAM, you're still in scope, and you're gonna have to verify that during your audit process.

Matt Stern: That is correct. Absolutely.

Laura Schwab: I really appreciate you answering the questions around how Hypori protects CUI. So if we're shifting gears here and we're looking at CMMC, the next big date is November 10th. So how does Hypori fit into the CMMC conversation?

Matt Stern: Great question, Laura. We fit into the CMMC conversation by number one, if you're going to allow your employees to have mobile access to your CUI information, we're out of scope. So the end user device, which has no data, we do no processing or storage on that device, is out of scope. And number two, because we're in a FedRAMP high environment, we meet all the criteria for the DoD CIOs memo for FedRAMP equivalency and protection of CUI. So as a CSP, you know that using us to protect your CUI data in a mobile environment will pass your audit.

Laura Schwab: So lastly, we're gonna talk about securing the supply chain. So hypothetically, if we're looking at it from a prime's point of view, what are some things that they need to be considering, especially when it comes to the other folks that they're working with?

Matt Stern: So number one, a prime has to worry about all the members of their contract. So if they have subcontractors or vendors, they have flow down requirements. That means that those vendors and subcontractors have to meet the CMMC requirements as well. Using Hypori, they can collaborate and communicate and actually give some vendors view only access to documentation, specifications, those kinds of things so that they can meet the requirements, but not have that vendor or subcontractor burdened with all the CMMC requirements that, or security requirements that they may be required to do.

Laura Schwab: Thanks, Matt. That's super helpful to understand looking at it from a securing the supply chain point of view. You also really address the next deadline when it comes to CMMC, how we fit into that equation, and also how we protect CUI. So I appreciate your time today and addressing those three points. So thank you again, everyone, for joining us. And if you have any questions, let us know in the comments.

Matt Stern: Thank you.

The Bottom Line

The fundamental difference in approach comes down to where your data lives. While MAM solutions attempt to secure corporate data after it has been moved to an unmanaged personal device, Hypori ensures sensitive information never leaves the secure environment in the first place.

By keeping end-user devices out of the compliance scope, organizations can finally solve the tension between mobility and security. Employees get the mobile access they need to be productive, and security teams maintain complete control and visibility, ensuring CUI is protected. It’s not a compromise between security and productivity. It’s achieving both.

‍