A question our Clients ask all the time is, "Do we need to encrypt our computers for CMMC compliance?" The short answer is: it depends. You must start with identifying the level of certification you need, as well as where and how CUI is stored.

If you are in the DoD Supply Chain and handle CUI, you must certify at CMMC Level 3 certification or above. The CMMC and NIST 800-171 explicitly states that media were CUI is stored must be encrypted.

So if you store CUI on your on premises server, the server must be encrypted. If your staff in quoting is handling that CUI on their computer to quote the job, their computer must also be encrypted.

If you have connected computers across the network, but they don't explicitly handle CUI, then they technically don't have to be encrypted, but let's think about this for a moment...

It is possible that CUI may end up on one of those computers at some point. Its also going to be harder to manage and remember which computers should be encrypted and which should not. And encryption is just a best practice in cybersecurity, so we do recommend that all computers and servers that are company assets are encrypted.

Another question we often hear from our Clients is: How should we encrypt our computers and servers?

The great thing about Windows 10 is that the OS comes with Microsoft BitLocker built in.  All you need to do is turn on BitLocker, and it will automatically encrypt your entire operating system drive. It's best practice to also enable encryption for any external hard drives that are being used with Windows as well.

If you're not using Microsoft devices, or if your computers aren't running Windows OS then we recommend looking at third-party software such as Beachhead or TrueCrypt.

But before you rush out and press the "encrypt now" button, remember that a special key will be generated and you'll need a secure place to store this.

Servers can be a little more tricky. All your data lives there, and the device is critical to your business operations. If you don't do it right, you could lose access to all your data and applications.

Windows Server operating systems also come with BitLocker, and you can still choose a third party encryption software, but there is actually a far easier method: self-encrypting hard drives.

Self-encrypting hard drives use the encryption keys as part of the hardware. This means that it's not possible to turn off or remove the drive unless you have physical access and know how. And if a hacker does get inside, they won't be able to see your data without this key because there is no way for them to bypass the self-encrypting technology.

But don't stop there. Inventory every device in your computer that holds data and determine how to encrypt it. Some devices (like Apple's iPhone) come encrypted out of the box. Other devices need to have encryption turned on.

Bottom line: In this age of increasing threats, encrypt everything.