Frequently Asked Questions and Answers

What is CUI-SafeHarbor?

CUI-SafeHarbor is a secure CMMC Maturity Level 3-ready cloud-based Platform as a Service (PaaS) environment for clients to work with Controlled Unclassified Information (CUI) data. It already meets FARS and DFARS requirements and is ready to meet CMMC ML3, cybersecurity requirements for contractors and subcontractors. This provides huge savings in time and costs for anyone looking to develop a CMMC solution in house. It is available on an annual subscription basis from Duffy Compliance Services.

What are the advantages of subscribing to
CUI-SafeHarbor?

The most popular advantage of subscribing to CUI-SafeHarbor is that it offers a quick turn-key solution to meet regulatory compliance. Companies using CUI-SafeHarbor can become CMMC ML3 compliant within a week or two. Another advantage of CUI-SafeHarbor is that it’s also affordable, often costing less than an initial gap analysis (which determines how far away you are from being compliant on your own).

Additionally, you get peace of mind knowing that Duffy Compliance Services, a CMMC Certified 3rd Party Assessment Organization (C3PAO), will continue to take care of all the CMMC compliance requirements as the industry and regulation matures.

Why was CUI-SafeHarbor created?

CUI-SafeHarbor was created to enable smaller federal contractors or subcontractors (usually those without a secure IT network infrastructure) to quickly implement NIST 800-171 security controls and CMMC ML3 practices at a reasonable and affordable cost. It offers the path of least resistance toward CMMC ML3 compliance.

What are some criteria an organization should
consider before using CUI-SafeHarbor?

CUI-SafeHarbor was originally designed for organizations of 2-10 users who have limited or no IT network infrastructure. However, the main criteria is only that the organization have a need to protect CUI data. For CUI-SafeHarbor, the size of the service can be adjusted for any organization.

Under what circumstances is CUI-SafeHarbor NOT
a good fit or an appropriate solution?

While CUI-SafeHarbor is flexible and scalable, larger companies that have already invested in their own IT network security infrastructure and support are not generally in need of this type of service. Yet some larger organizations may see this as a valuable supplemental environment for protecting and keeping CUI data separate from their normal IT operations.

cui-safeharbor

How long will it take before a client can begin to use
CUI-SafeHarbor after purchase (on-boarding process)?

Depending on the size of the implementation, the typical and expected on-boarding process will take a couple of days.

When will CUI-SafeHarbor be available for
purchase and use?

CUI-SafeHarbor is available now for annual subscriptions. Annual subscriptions are paid in full. Smaller business with a need for additional financial help may qualify for quarterly payments; however, all subscriptions are annual.

Why can’t companies create their own cloud-based
CMMC-compliant environment?

Duffy Compliance Services has been working on this solution for over 3 years. We bring several years of CUI analysis and security controls solutions to this infrastructure, and it has been through several iterations. We’ve undertaken the costs to develop this the right way and in a way that will pass certification. We are a CMMC C3PAO and know how to keep current with changes as the regulation matures. Also, the technical controls within the CUI-SafeHarbor are not the only practices that need to be addressed.

Duffy Compliance Services also addresses the non-technical controls that clients will need to address to meet all the practices of CMMC ML3. There are many complexities that had to be worked out with CUI-SafeHarbor. It should be clear after seeing our subscription pricing to simply take advantage of our experience and investment and start using the product today.

Is using CUI-SafeHarbor appropriate for protecting
data that is required for complying with other government or industry standards?

CUI-SafeHarbor was originally designed for organizations of 2-10 users who have limited or no IT network infrastructure. However, just like the size is not the factor in determining who should use CUI-SafeHarbor, CUI is not the only type of data that can be protected in this environment. Duffy Compliance Services has spent many hours preparing this system with policies, procedures, and a System Security Plan (SSP) specifically designed for CMMC ML3 compliance. However, there is nothing preventing a similar set of security controls to be allocated to a different compliance regulation.

What is the minimum number of users required for
an annual subscription to CUI-SafeHarbor
(minimum user license agreement)?

The minimum number of users for an annual subscription to CUI-SafeHarbor is two (2) users. There is no maximum number of users.

How does using CUI-SafeHarbor affect me and my
day-to-day use? And how much impact will using
CUI-SH have on the performance of my computer?

Using CUI-SH does not affect the user’s workflow or environment very much. The user clicks on an icon and authenticate. Then a re-sizeable window appears and looks like a Windows desktop, but it is sent from the CUI-SH enclave. From there, the user works with the applications like any other desktop window. It can be minimized, re-sized, or moved to a section of the screen or used in a two-monitor set-up. In terms of performance on the user’s device, the impact and overhead is minimal as only small packets of data are transmitted back and forth from the CUI-SH work environment.

1. What is CUI-SafeHarbor?

CUI-SafeHarbor is a secure CMMC Maturity Level 3-ready cloud-based Platform as a Service (PaaS) environment for clients to work with Controlled Unclassified Information (CUI) data. It already meets FARS and DFARS requirements and is ready to meet CMMC ML3, cybersecurity requirements for contractors and subcontractors. This provides huge savings in time and costs for anyone looking to develop a CMMC solution in house. It is available on an annual subscription basis from Duy Compliance Services.

2. What are the advantages of subscribing to CUI-SafeHarbor?

The most popular advantage of subscribing to CUI-SafeHarbor is that it offers a quick turn-key solution to meet regulatory compliance. Companies using CUI-SafeHarbor can become CMMC ML3 compliant within a week or two. Another advantage of CUI-SafeHarbor is that it’s also affordable, often costing less than an initial gap analysis (which determines how far away you are from being compliant on your own).

Additionally, you get peace of mind knowing that Duffy Compliance Services, a CMMC Certified 3rd Party Assessment Organization (C3PAO), will continue to take care of all the CMMC compliance requirements as the industry and regulation matures.

3. Why was CUI-SafeHarbor created?

CUI-SafeHarbor was created to enable smaller federal contractors or subcontractors (usually those without a secure IT network infrastructure) to quickly implement NIST 800-171 security controls and CMMC ML3 practices at a reasonable and affordable cost. It offers the path of least resistance toward CMMC ML3 compliance.

4. What are some criteria an organization should consider before using CUI-SafeHarbor?

CUI-SafeHarbor was originally designed for organizations of 2-10 users who have limited or no IT network infrastructure. However, the main criteria is only that the organization have a need to protect CUI data. For CUI-SafeHarbor, the size of the service can be adjusted for any organization.

5. Under what circumstances is CUI-SafeHarbor NOT a good fit or an appropriate solution?

While CUI-SafeHarbor is flexible and scalable, larger companies that have already invested in their own IT network security infrastructure and support are not generally in need of this type of service. Yet some larger organizations may see this as a valuable supplemental environment for protecting and keeping CUI data separate from their normal IT operations.

6. How long will it take before a client can begin to use CUI-SafeHarbor after purchase (on-boarding process)?

Depending on the size of the implementation, the typical and expected on-boarding process will take a couple of days.

7. When will CUI-SafeHarbor be available for purchase and use?

CUI-SafeHarbor is available now for annual subscriptions. Annual subscriptions are paid in full. Smaller business with a need for additional financial help may qualify for quarterly payments; however, all subscriptions are annual.

8. Why can't companies create their own cloud-based CMMC-compliant environment?

Duffy Compliance Services has been working on this solution for over 3 years. We bring several years of CUI analysis and security controls solutions to this infrastructure, and it has been through several iterations. We’ve undertaken the costs to develop this the right way and in a way that will pass certification. We are a CMMC C3PAO and know how to keep current with changes as the regulation matures. Also, the technical controls within the CUI-SafeHarbor are not the only practices that need to be addressed.

Duffy Compliance Services also addresses the non-technical controls that clients will need to address to meet all the practices of CMMC ML3. There are many complexities that had to be worked out with CUI-SafeHarbor. It should be clear after seeing our subscription pricing to simply take advantage of our experience and investment and start using the product today.

9. Is using CUI-SafeHarbor appropriate for protecting data that is required for complying with other government or industry standards?

CUI-SafeHarbor was originally designed for organizations of 2-10 users who have limited or no IT network infrastructure. However, just like the size is not the factor in determining who should use CUI-SafeHarbor, CUI is not the only type of data that can be protected in this environment. Duffy Compliance Services has spent many hours preparing this system with policies, procedures, and a System Security Plan (SSP) specifically designed for CMMC ML3 compliance. However, there is nothing preventing a similar set of security controls to be allocated to a different compliance regulation.

10. What is the minimum number of users required for an annual subscription to CUI-SafeHarbor (minimum user license agreement)?

The minimum number of users for an annual subscription to CUI-SafeHarbor is two (2) users. There is no maximum number of users.

11. How does using CUI-SafeHarbor affect me and my dayto- day use? And how much impact will using CUI-SH have on the performance of my computer?

Using CUI-SH does not affect the user’s workflow or environment very much. The user clicks on an icon and authenticate. Then a re-sizeable window appears and looks like a Windows desktop, but it is sent from the CUI-SH enclave. From there, the user works with the applications like any other desktop window. It can be minimized, re-sized, or moved to a section of the screen or used in a two-monitor set-up. In terms of performance on the user’s device, the impact and overhead is minimal as only small packets of data are transmitted back and forth from the CUI-SH work environment.