What is the Cuick Trac Managed Enclave?

The Cuick Trac Managed Enclave (CTME), at its core, is a Cloud Service Offering (CSO) that achieved FedRAMP Moderate Equivalency from a FedRAMP-recognized 3PAO. The Cuick Trac Managed Enclave is pre-configured and fully managed, and satisfies the technical requirements of NIST SP 800-171 Rev 2. Because Cuick Trac is a virtual enclave with defined technical boundaries, it allows for control of CUI data flows, as CUI never touches the OSC's (organization seeking certification) network or device. Cuick Trac's technology and compliance advisory support guides you towards compliance with DFARS 252.205-7012, NIST 800-171, and the CMMC 2.0 requirements. Cuick Trac was purpose built for businesses who lack the bandwidth and resources to implement and manage the required technical and security controls, required by the Federal Government for protecting CUI. The Defense Industrial Base (DIB) needs solutions that are affordable, practical and secure by default, that can also be implemented in a shorter amount of time.

How does the Cuick Trac Managed Enclave help me?

The purpose of Cuick Trac is to help businesses who currently work with, or want to do work with, the Department of Defense (DoD) and federal government to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), per the requirements in their contracts. Cuick Trac takes responsibility for 78% of the assessment objectives within NIST 800-171A/CMMC Level 2 assessment guides, and our team of compliance advisors guide our customers through the remaining 22%. This significantly decreases your Plan of Action and Milestones (POA&M) and internal responsibility burden for our customers.

Does Cuick Trac replace my MSP provider or internal IT team?

No. With CTME, our goal is to always work with as much of your current business processes that are already in place, including your current MSP or internal IT team. Disruption to your business is detrimental, thus a collaborative approach will be key in regard to how CUI data is collected, stored and accessed. As a FedRAMP Moderate Equivalent Cloud Service Offering (CSO) from a Cloud Service Provider (CSP), your MSP or internal IT team can leverage the CTME for your CUI program, lower the burden internally.

Is Cuick Trac another tool or software application?

No, Cuick Trac is not a software. Cuick Trac is a Cloud Service Offering (CSO) that is a fully managed virtual enclave/controlled environment on U.S. soil, managed only by U.S. persons. CTME has everything you need from a technology standpoint, to meet the requirements such as a SIEM, encryption at rest, encryption in transit (email and file transfer), patch management, secure back-ups, MFA and more. Unlike a single application or tool that does one or two of those requirements, Cuick Trac meets ALL technical controls for NIST 800-171 and CMMC Level 2.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces 'sensitive but unclassified' and other similar control markings. To learn more, download our ebook or see examples of CUI.

What is DFARS, NIST 800-171 and CMMC?

The DFARS 252.204-7012 clause says that if you handle Controlled Unclassified Information, you should have implemented NIST SP 800-171 no later than Dec 31, 2017. Since this deadline has passed and many defense organizations don't meet this current requirement, the DoD developed CMMC. Organizations within the DoD supply chain need a risk-based approach to become compliant, and more importantly, secure their environments where CUI is processed, stored and transmitted. NIST SP 800-171 is the National Institute of Standards & Technology (NIST) special publication providing 110 recommended security controls for protecting the confidentiality of CUI (Controlled Unclassified Information – a subset of CDI). The Cybersecurity Maturity Model Certification (CMMC) is the standard the Department of Defense (DoD) is using to verify the members of the Defense Industrial Base (DIB) fully meet their cybersecurity requirements, prior to contract awards.

What is an SPRS score, and how do I get one?

In September, 2020, the DoD released a new interim rule, approved by the Office of Management and Budget (OMB), that requires all contractors subject to DFARS 252.204-7012 within the DoD supply chain, to have an accurate assessment on record, prior to award. The interim rule becomes a bridge between the self-assessment process of DFARS 252.204-7012/NIST 800-171 and the CMMC certification process. The Supplier Performance Risk System (SPRS) is the official DoD system for recording these assessments. Your SPRS score is a numerical representation of your compliance status with NIST 800-171. The maximum score is 110, and a lower score indicates more controls are not yet implemented. You get one by completing a self-assessment and submitting it to the SPRS website.

Do I need a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) Before Utilizing Cuick Trac?

No. While you will need an SSP and POA&M for your CMMC Level 2 assessment, you do not need to have them completed before utilizing Cuick Trac. In fact, many of our customers utilize our compliance advisory services to help them complete their SSP and POA&M after they have deployed the Cuick Trac Managed Enclave. The CTME provides the technical controls and documentation that form the foundation of your SSP and significantly reduces the items on your POA&M.

What happens if I'm not compliant with DFARS/NIST 800-171?

If you are not compliant with DFARS 252.204-7012, you are in breach of contract with the DoD. This can lead to a variety of negative consequences, including the inability to bid on new contracts, loss of current contracts, and potential legal action. The CMMC framework is designed to ensure that all DIB companies are compliant, and non-compliance will eventually result in the inability to work with the DoD.

Who mandates these requirements?

The requirements are mandated by the Department of Defense (DoD) through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which references NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC) is the DoD's verification mechanism for ensuring compliance with these requirements.

We don't have a SIEM or any way to monitor events/incidents/breaches, does Cuick Trac do that?

Yes. Cuick Trac is a comprehensive solution that includes a Security Information and Event Management (SIEM) system as part of the managed enclave. The CTME includes everything you need from a technology standpoint to meet the requirements, including monitoring for events, incidents, and breaches, which is a critical control for NIST 800-171 and CMMC Level 2.

NIST 800-171 3.13.2 Secure Design

Overview of NIST 800-171 Control 3.13.2

NIST 800-171 control 3.13.2 focuses on applying security engineering principles during system development and configuration. The intent is to ensure security is integrated into architecture, design decisions, and implementation practices rather than added late through reactive fixes. When systems handle Controlled Unclassified Information (CUI), design-stage decisions strongly influence long-term exposure, monitoring burden, and the likelihood of control failures.

For CMMC Level 2 scoping, this control is commonly demonstrated through repeatable engineering practices that reduce attack surface, constrain privilege, and ensure controls remain effective as systems evolve.

What the Control Requires

Control 3.13.2 expects organizations to use security engineering concepts when developing, integrating, and configuring systems. This typically includes establishing standards and processes that guide secure system design, selecting configurations that reduce risk, and validating that security assumptions remain true after deployment and change.

Security built into design: Architecture decisions reflect security objectives, trust boundaries, and intended control placements.
Secure implementation: Development and configuration follow defined standards that reduce vulnerabilities and misconfiguration risk.
Change-resilient controls: Updates and integrations are evaluated for security impact and verified after implementation.

Security Engineering Principles Commonly Applied

Security engineering principles are practical design rules that help prevent common failure modes. Organizations should select principles relevant to their environment and document how they are applied to systems in scope.

Least privilege: Limit permissions to what is necessary for roles, services, and integrations.
Separation of duties: Prevent a single individual or process from having unchecked end-to-end control over sensitive actions.
Defense in depth: Use layered safeguards so a single control failure does not result in compromise.
Secure defaults: Configure systems to a secure baseline, requiring deliberate action to reduce security.
Minimize attack surface: Remove unnecessary services, ports, software components, and execution paths.
Fail securely: Ensure error conditions do not grant access or expose sensitive information.

Practical Implementation in Real Environments

Organizations often meet 3.13.2 by combining documented engineering standards with technical enforcement and review checkpoints. The objective is to make secure design repeatable and verifiable.

Architecture and boundary definition: Maintain clear trust boundaries, data flows, and control placement decisions for in-scope environments.
Secure configuration baselines: Standardize hardening settings for operating systems, endpoints, network devices, and platforms.
Secure development practices: Use coding standards, dependency controls, and review processes to reduce vulnerabilities.
Threat-informed design reviews: Evaluate how adversaries could abuse interfaces, identities, or integrations and adjust designs accordingly.
Change impact evaluation: Assess security impact before changes and validate controls after changes are implemented.

Audit-Ready Engineering and Evidence Table

The table below shows audit-friendly examples of how security engineering is applied across the lifecycle, including required activities, expected outputs, and accountable roles.

Lifecycle Stage	Security Engineering Activity	Audit Evidence to Retain	Accountable Role
Design	Define trust boundaries, data flows, and control placement; apply least privilege and defense in depth	Architecture diagrams, data flow descriptions, boundary definitions, security requirements	System Owner / Architect
Build and Configure	Implement secure defaults and hardening baselines; minimize exposed services and interfaces	Configuration baselines, hardening standards, build checklists, baseline validation results	IT Operations / Platform Engineering
Develop	Apply secure coding standards and dependency controls; review for unsafe patterns and privileged actions	Coding standards, review records, dependency inventories, remediation tickets	Development Lead
Validate	Verify controls operate as designed; confirm least privilege and segmentation assumptions remain true	Test results, access validation outputs, segmentation evidence, exceptions with approvals	Security Engineering
Change and Maintain	Assess security impact of changes; re-validate baselines and control effectiveness after updates	Change records, impact assessments, post-change validation notes, periodic review attestations	Change Manager

Common Gaps to Avoid

Security added late: Controls bolted on after deployment, increasing complexity and leaving gaps in trust boundary design.
Undefined baselines: Inconsistent configurations across systems that increase misconfiguration and drift risk.
Weak privilege design: Overly broad admin roles, shared accounts, or service permissions that exceed operational need.
Unreviewed integrations: New connections, APIs, or tools introduced without a security impact assessment.
Evidence gaps: Security engineering performed informally without retained artifacts that demonstrate repeatability.

FAQ

What does NIST 800-171 control 3.13.2 require?

It requires organizations to apply security engineering principles when developing or configuring systems so security is built in from the start and maintained through change.

What are examples of security engineering principles for 3.13.2?

Common examples include least privilege, separation of duties, defense in depth, secure defaults, and minimizing the system attack surface.

What evidence supports 3.13.2 for CMMC Level 2?

Typical evidence includes architecture and data flow documentation, secure configuration standards, design and code review records, threat modeling outputs, and change control artifacts.

3.13.2: Build Secure Systems by Design—Not as an Afterthought

Overview of NIST 800-171 Control 3.13.2

What the Control Requires

Security Engineering Principles Commonly Applied

Practical Implementation in Real Environments

Audit-Ready Engineering and Evidence Table

Common Gaps to Avoid

FAQ

What does NIST 800-171 control 3.13.2 require?

What are examples of security engineering principles for 3.13.2?

What evidence supports 3.13.2 for CMMC Level 2?

SC.L2-3.13.9[a]: Identify How Your Systems Use Encryption to Protect CUI at Rest

SC.L2-3.13.9[b]: Document How Your Systems Encrypt CUI at Rest

Get a 30-Minute Demo From a Cuick Trac Product Expert

Stay Updated. Stay Secure.

Quick Links

Guides

Resources

Socials

3.13.2: Build Secure Systems by Design—Not as an Afterthought

Overview of NIST 800-171 Control 3.13.2

What the Control Requires

Security Engineering Principles Commonly Applied

Practical Implementation in Real Environments

Audit-Ready Engineering and Evidence Table

Common Gaps to Avoid

FAQ

What does NIST 800-171 control 3.13.2 require?

What are examples of security engineering principles for 3.13.2?

What evidence supports 3.13.2 for CMMC Level 2?

SC.L2-3.13.9[a]: Identify How Your Systems Use Encryption to Protect CUI at Rest

SC.L2-3.13.9[b]: Document How Your Systems Encrypt CUI at Rest

Stay Updated. Stay Secure.

🍪 We Use Cookies