VDI Solutions- Not Right for Everyone
One innovative solution for reducing CMMC compliance cost and implementation time is a Virtual Desktop Interface (VDI). VDIs create a secure, virtualized desktop experience to users. VDI can provide a Windows, Linux, or even Mac desktop for users to log into remotely.
In this setup, end users interact with the environment using only a display, keyboard, and mouse, in accordance with 32 CFR requirements. No copy/paste outside of the VDI is permitted. This means that the actual computing resources—and the Controlled Unclassified Information (CUI) they process—reside in the Cloud rather than on local devices.
The most significant benefits of a VDI in a CMMC certified environment include reducing physical control, monitoring, and updating responsibilities for the Organization’s Security Controls (OSC). Here’s how:
- Reduced Physical Controls: Since users work in a virtual environment, hosted on the cloud, many physical security controls can be shifted from the OSC to the VDI provider. For example, the OSC does not need to maintain visitor logs for their facility with a VDI only solution.
- Shared Compliance Burden: More than half of the 110 controls required under CMMC can be managed directly by the VDI provider. This significantly speeds up the implementation process. And it reduces the overall cost and complexity of compliance.
- Centralized Management: Responsibility for operating system updates, patch management, and monitoring is transferred to the VDI provider. This allows OSC teams to focus on higher-level strategic security initiatives – like combating insider threats.
Limitations of VDI Solutions
VDI solutions aren’t a one-size-fits-all remedy. So, know what you are getting before planning your compliance effort around VDI.
- Local Printing Needs: Companies that require local printing capabilities cannot effectively use VDIs to reduce cost or implementation time.
- Manufacturing Environments: In industries where Controlled Unclassified Information (CUI) is stored locally—such as in many manufacturing settings—a VDI is not a viable option.
- Not a “Get Out of Jail Free” Card: VDIs help alleviate many compliance burdens, but they are part of a broader security strategy rather than a silver bullet for many, perhaps most, companies.
Final Thoughts
Implementing a VDI in a CMMC certified environment offers substantial benefits by shifting many compliance responsibilities to the provider. They work best for companies that develop software, provide data analytic services, or staffing companies. But, for companies that work with physical devices or need access to paper copies of CUI, they are not as viable.
