Architecture

There are several ways for a solution to achieve NIST 800-171/CMMC Level 2 compliance. The standard specifies the what (the required controls), not the how (the system architecture used to implement these controls).

Traditional Security

Traditionally, organizations achieve compliance using network segmentation, access control lists (ACLs), and VPNs. While these approaches can meet 800-171 requirements, they are relatively fragile and are unlikely to satisfy the enhanced protections required by NIST 800-172 (CMMC Level 3), which supplements 800-171. That said, this may be acceptable when compliance with 800-171 alone is the objective.

Why Traditional Systems are Fragile

Traditional architectures rely heavily on perimeter defenses and administrative controls:

  • ACL-based systems assume that system administrators have full access to backend systems. If an attacker compromises the backend and escalates privileges to the administrator level, they may gain broad access to sensitive data.
  • VPN-based access expands the network attack surface and is vulnerable to configuration mistakes, credential theft, and zero-day vulnerabilities.

End-to-end Encryption

When combined with VDI (virtual desktop infrastructure), end-to-end encryption offers significant security and compliance advantages. Using this architecture, applications and data remain inside the enclave while users connect through encrypted sessions. Unlike traditional systems, system administrators do not possess decryption keys for user data or user sessions. In addition, the architecture does not depend on VPN-based network access, because communication between the user device, backend services, and virtual machines is encrypted. Although NIST 800-171 does not require end-to-end encryption, it provides several important compliance benefits:

  • CUI never leaves the secure environment: Endpoints receive only encrypted display data, and no CUI files are downloaded to local devices.
  • Reduced compliance scope: Enterprise IT systems that do not store CUI, as well as user laptops and desktops, remain outside the protected CUI enclave.
  • Protection of CUI in transit: End-to-end encryption ensures that communication between the user device, backend services, and virtual machines is cryptographically protected.
  • Centralized security controls: Because all CUI processing occurs within the enclave, organizations can centrally enforce patching, monitoring, auditing, and configuration management.
  • Simplified incident response: If a user device is lost or compromised, access can be revoked and no local forensic recovery of CUI is required.
Traditional Endpoint Model vs Secure Enclave VDI Model

tiCrypt's Architecture

With tiCrypt’s secure enclave solution, users work using encrypted sessions and CUI stays inside the enclave at all times. Below is a diagram with an overview of tiCrypt’s architecture (click to enlarge).

tiCrypt Functional Diagram

tiCrypt's Connect

Users connect to the system from their laptop or desktop through the frontend interface, tiCrypt Connect. Access occurs via a REST API over HTTPS, ensuring encrypted communication between the user device and the backend. Applications are delivered through secure tunneled sessions, meaning that users interact with applications running inside the tiCrypt environment rather than executing them locally. Communication between the user and the virtual machines is separately encrypted so that system administrators cannot intercept communications either. Multi-factor authentication (MFA) provides an additional layer of identity verification. At no point is CUI stored on the user device; endpoints function only as display terminals for the remote session.

tiCrypt's Backend Server

The tiCrypt backend server serves as the central orchestration and security control layer of the system. It manages user access, routes encrypted sessions to virtual desktops, and provides core services such as authentication, file management, maintenance, notifications, operational statistics, and centralized logging. The backend enforces authentication, authorization, session routing, and monitoring, ensuring that all access to CUI resources is mediated, controlled, and auditable.

Virtual Machines

The VM hosts run the virtual desktops where users perform their work. Each host supports multiple virtual machines that process CUI, run applications, and execute user workloads. Users connect to these environments through secure tunneled sessions managed by the backend. Access is restricted and centrally managed to maintain consistent security configurations. Because all computation and data handling occur inside these virtual machines, CUI processing remains within the protected enclave.

Distributed File System (Secure Data Storage)

The distributed file system stores CUI data, project files, and application data. It communicates only with the backend server and the VM hosts, keeping storage isolated from external devices. User devices never directly access this storage layer; instead, data is either displayed in the browser or accessed through the virtual machines operating inside the enclave. This architecture keeps sensitive data within the protected environment while enabling centralized encryption, access control, backups, and monitoring.

tiAudit Logging Server (Monitoring and Compliance)

The tiAudit server provides centralized monitoring and logging for the tiCrypt environment. It collects security and operational logs generated by the backend and other system components. The system includes the tiAudit logging service, a web interface for log management, and a ClickHouse database for high-performance log storage and analysis. Logged events include authentication attempts, session activity, system operations, and administrative actions. This centralized logging supports monitoring, incident investigation, and the forensic visibility required for security compliance.

tiCrypt is NIST 800-172 Ready

End-to-end encryption alone does not satisfy all enhanced protections of NIST SP 800-172. The standard includes additional requirements for physical and logical isolation, movement-limiting architecture, software integrity verification, and continuous monitoring for anomalous or suspicious behavior - capabilities that extend beyond encryption alone.

tiCrypt provides a strong architectural foundation for these enhanced protections by enforcing end-to-end encryption, centralized control, and strict isolation of data and computation within the enclave. This architecture reduces reliance on perimeter defenses and limits exposure of sensitive data and credentials.

tiCrypt’s architecture is designed to integrate with Common Access Cards (CAC), enabling hardware-backed cryptographic operations for authentication and data access. By leveraging CAC as a hardware root of trust - widely used across DoD environments - tiCrypt can reduce reliance on software-managed keys in system memory and strengthen protections against credential theft, unauthorized access, and key exposure.

This approach aligns with the intent of SP 800-172 to incorporate stronger isolation, integrity verification, and hardware-assisted security controls. Organizations can build upon tiCrypt’s architecture by combining enclave-based processing with CAC-backed cryptographic enforcement, along with hardened infrastructure, integrity verification, and advanced monitoring.

Learn More

For more information on integrating Common Access Cards, see CAC.

For an overview of how we implemented high performance computing (SLURM) in tiCrypt check out the HPC page.

For more details on tiCrypt’s architecture, see the technical whitepaper.