Zero Client as a Service: simplifying CMMC for DIB micro-businesses

Zero Client as a Service, shown as a zero within a digital shield

Totem Technologies is excited to announce our Zero Client™ as a Service (ZCaaS) offering, which will make handling Controlled Unclassified Information (CUI) and Cybersecurity Maturity Model certification (CMMC) easier for the smallest of the small DoD contractors.  We built ZCaaS specifically to meet the needs of micro-businesses in the Defense Industrial Base (DIB) that are facing CMMC and either don’t handle CUI yet, or only handle small amounts of CUI on an infrequent basis.  The problem for micro-businesses such as these (25 or fewer employees) is that even if they don’t handle CUI or only handle it in small amounts, they still have to prove that they abide the DFARS 252.204-7012 mandates for the protection of CUI, and will still have to pass a CMMC Level 2 assessment. 

And all of that is expensive.  Zero Client as a Service makes it more affordable.  And your organization can be up and running with ZCaaS in a matter of minutes. 

In this post we’ll explain what Zero Client as a Service is and how micro-businesses can rely upon it to simplify CMMC compliance.

What is Zero Client as a Service (ZCaaS)?

Zero Client™ as a Service (ZCaaS) is actually a package of three services: 

  1. A cloud-hosted ephemeral Windows VDI Desktop built in Microsoft Azure Government.
  2. SafeShare™ secure file sharing and storage platform
  3. Totem™ Cybersecurity Compliance Management (CCM) tool
ZCaaS Conceptual Diagram
Zero Client as a Service Desktop VDI

Micro-businesses can use the ZCaaS Windows Desktop VDI to transfer sensitive information from one cloud service to another without “contaminating” workstations. We call it a “zero client” because the organization’s on-premise or employee-owned (BYOD) workstations (desktop, laptops, mobile devices) simply act as clients to the cloud service and zero information is ever stored, processed, or transmitted on the workstations.

ZCaaS Desktop is a quick-booting, ephemeral Windows Desktop in Azure Government FedRamp-High Datacenters meaning that no files or data you browse to ever reach your organization’s workstations, and when the desktop session is finished, all traces of the session are deleted.  So your organization’s users can transfer CUI or other sensitive information from one cloud service to another without it ever touching their workstations.

Most businesses will also need a file sharing, processing, and storage platform to call their own. That’s why ZCaaS includes access to a secure file sharing and storage solution called SafeShare, powered by Cocoon Data.  SafeShare is FIPS Validated, and managed entirely in FedRAMP-authorized AWS GovCloud by US Persons.  So it’s secure enough for your CUI and ITAR and other export-controlled data.  SafeShare supports in-situ creation and editing of Microsoft Word, Excel, and PowerPoint, and features highly granular permission controls.  For instance, an organization can assign “read-only” permissions to certain users, whereby those users will never be able to download files from the tool, and any files they view are secured with a timestamped watermark.  This provides 100% accountability for your organization’s information, even if it is captured by screenshot.  The video below provides a quick tutorial of the ZCaaS Desktop and SafeShare.


The ZeroClient Desktop runs a secure version of the Windows 10 operating system configured in read-only mode, so that no files are ever permanently stored on the session.  You can edit PDFs locally and them upload to SafeShare for safekeeping. 

All of this comes packaged with a subscription to our Totem™ CCM tool, complete with a System Security Plan (SSP) built around the ZCaaS managed service.  In a matter of minutes you can customize this SSP for your organization, generate a Supplier Performance Risk System (SPRS) score, and also pass a major milestone for DFARS 7012 compliance.

Why keep CUI off your workstations?

Why should you be concerned about handling CUI and other sensitive information on your organization’s workstations?  Because if that information touches that workstation, you must securely configure — or “harden” — the workstation to protect sensitive files that may reside on it.  Hardening is no cake walk, requiring hours of IT security labor per workstation.  And in a Bring Your Own Device (BYOD) environment, most employees don’t want their employer taking administrative control over their personal device.  You also must continuously monitor the workstation for any cybersecurity attacks.  Zero Client as a Service eliminates the hardening and monitoring requirements for on-premise workstations, and facilitates BYOD.

And since ZCaaS sessions are non-persistent — or ephemeral — there is little hardening and monitoring that must be done to the ZCaaS Desktop VDI environment.  We also inherit the hardening and monitoring safeguards from Cocoon Data for the SafeShare platform. This means ZCaaS is a fraction of the cost of other heavily-marketed options for secure CUI manipulation, such as Microsoft 365 GCC High.

But we can’t take full credit for inventing the concept behind ZCaaS: the DoD beat us to it!  We based ZCaaS on the now defunded DoD Trusted End Node Security (TENS) program.  TENS was designed to allow DoD remote-working employees to login to DoD-controlled networks from their unmanaged personal devices.  This means remote DoD employees could use TENS to access unclassified DoD networks from their own laptops, desktops, tablets, whatever.  And no DoD data would ever be stored on those personal devices.

TENS did its job very well, and was secure enough to receive an Authority To Operate (ATO) from the DoD.  However, TENS relied on booting a workstation from DVD or USB, which required some reconfiguration of a workstation and took several minutes to boot (at a minimum).  And unfortunately, the TENS boot media by its nature contained a limited set of hardware drivers, and therefore only worked on a limited number of workstation makes and models. 

ZCaaS provides the same security features as TENS without the limitations.  The ZCaaS Desktop VDI can be used from any workstation with internet access.

Who can use Zero Client as a Service for CMMC compliance?

Zero Client as a Service is laser-focused on serving DIB micro-businesses that have DFARS 7012 in their contract but don’t yet know what CUI they handle.  It’s also intended for those organizations that are working on SBIR/STTR projects and must implement the NIST 800-171 standard to securely store, process, and transmit CUI.   All these DIB members must submit an SPRS score and prepare for a CMMC Level 2 certification as well. 

In a nutshell, if your organization needs the following benefits, ZCaaS is for you:  

  • A secure cloud-based service in which to store, process (edit Word, Excel, PPT, and view all other docs), and transmit all CUI: this is what SafeShare is for.
  • To support BYOD and transfer CUI into SafeShare from another file share site (e.g. DoD SAFE, DIBBS, etc.) without that CUI “contaminating” a physical workstation: this is what the ZCaaS Desktop VDI is for.
  • The ability to edit PDFs or ZIP files: this is what the ZCaaS Desktop is for.  
  • A simple SSP and POA&M, maintainable in an easy to use online platform that automatically calculates your organization’s SPRS score: this is what the Totem™ tool is for.

Zero Client as a Service is an especially elegant solution for small DIB companies that are distributed, i.e. that don’t have a central “brick and mortar” office.  It’s also ideal for startups or small research and development organizations competing for SBIR/STTR grant money. 

ZCaaS is also great for those small businesses who can’t dedicate personnel to monitor the cybersecurity of an environment that includes BYOD and/or a bunch of workstations and servers, and can’t afford to outsource this monitoring to an Managed Security Service Provider (MSSP) running a round-the-clock Security Operations Center (SOC).  With ZCaaS, there isn’t much that can even be monitored, and Totem Technologies takes care of what can be monitored. 

Who may not benefit from ZCaaS for CMMC compliance?

If your organization has more than about 25 individuals that need to handle CUI,  Zero Client as a Service may not be for you.  One of the many benefits of SafeShare is that your organization can always account for whose hands its CUI is in; however, this means that individuals with whom CUI is shared must be accounted for as well. 

As a result, all SafeShare users, including any external recipients, must create a SafeShare account.  And all SafeShare accounts require a paid-for license.  It is our experience that when an organization passes the “micro-business” threshold (more than about 25 users), the number of recipients grows to the point where maintaining all of their account licenses becomes unwieldy.  Not that it can’t be done, but your organization will have to dedicate resources to maintaining user licenses. 

Another set of businesses that may not want to use ZCaaS are those that must handle hardcopy CUI.  In the first place, the ZCaaS Desktop VDI prohibits the local download and printing of all files transmitted through it.  SafeShare can be configured similarly.  But more importantly, to make our ZCaaS NIST 800-171 SSP template as easy as possible to implement, we suggest your organization eliminate CUI in hardcopy.  It just makes securing CUI easier that way, resulting in less expenditure to protect it.

Many manufacturers maintain, for instance, hardcopies of engineering drawings that operators and machinists consult during the manufacturing process.  Engineering drawings of DoD parts are definitely considered CUI, and need all the protections standardized in NIST 800-171.  The ZCaaS concept will be difficult to implement in such an environment, unless the small business manufacturer can adopt new technologies — such as mobile tablets that can interface with ZCaaS — to replace their reliance on hardcopy media. 

Want to try Zero Client as a Service?

If your small business is struggling trying to figure out how to implement the demanding NIST 800-171 standard to protect CUI and/or is worried about how it will pass a Level 2 CMMC assessment, Zero Client as a Service might be the right solution.  We’d love to demo ZCaaS for you, free of charge.  Contact us to get a demonstration scheduled.

ZCaaS takes care of most of the policy and technical complexities of CMMC, but there are other aspects of complying with the DFARS 7012 mandate that you’ll want to be aware of.  We discuss all things DoD contractor cybersecurity during our quarterly DFARS / NIST / CMMC Workshops.  We keep cohort sizes small to maximize your opportunity to interact with our instructors, and we discuss strategies — such as ZCaaS — that small businesses can pursue to reduce the footprint of CUI, and save costs when it comes to CMMC.  We’d love to have you with us!

For now, Good Hunting!


Graphic depicting Totem's roadmap to CMMC compliance

Download our CMMC Compliance Roadmap!

Like this post? Share it!

Get notified when new blogs are published!