Entrust nShield
by Entrust
Covered
8
controls
Partial
2
controls
Gaps
3
controls
Overview
Entrust nShield by Entrust is an encryption & key management solution that covers 8 NIST 800-171 controls (7% total coverage). It addresses key requirements in the encryption & key management domain for defense contractors pursuing CMMC compliance.
Controls Covered (8)
Implementation Notes
Deploy Entrust nShield with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.
More Encryption & Key Management Products
Implementation Guidance for Entrust nShield
Configure Entrust nShield to satisfy NIST 800-171 encryption controls by implementing the following configurations: For SC-8 (Transmission Confidentiality/Integrity), establish Hardware Security Module (HSM) policies with minimum AES-256 encryption and configure SSL/TLS certificate lifecycle management with automated key rotation every 90 days. Enable FIPS 140-2 Level 3 validation mode and configure cryptographic boundaries to separate CUI processing environments. For SC-12 (Cryptographic Key Establishment/Management), implement centralized key escrow with dual-person control requiring two administrator authentications for key recovery operations. Configure key generation using true random number generation with entropy validation and establish automated key backup to geographically separated HSM appliances. For SC-13 (Cryptographic Protection), enable algorithm agility supporting approved NIST cryptographic standards and configure automatic algorithm deprecation when NIST updates occur. Generate assessment evidence through nShield's built-in audit logging by enabling detailed cryptographic operation logs, key lifecycle events, and administrator access records. Export logs in SIEM-compatible formats (CEF/JSON) for integration with Splunk or QRadar. Integrate with Microsoft Active Directory for centralized authentication and configure LDAP synchronization for role-based access control. Common misconfigurations include: insufficient key backup procedures causing C3PAO findings for availability, disabled audit logging preventing evidence generation, weak authentication policies for HSM access, and improper network segmentation exposing cryptographic operations. Always validate FIPS certification status and maintain current firmware versions to prevent compliance gaps.
Gap Analysis & Compensating Controls
Entrust nShield's 3 uncovered NIST controls create significant compliance gaps primarily in Access Control (AC) and System and Communications Protection (SC) families. The largest gap exists in AC-3 (Access Enforcement) where nShield lacks granular application-level access controls for CUI data objects. Implement Microsoft Active Directory with Privileged Access Management (PAM) solutions like CyberArk to provide role-based access control and just-in-time privileges. The second gap in SI-4 (Information System Monitoring) requires deploying SIEM solutions like Splunk Enterprise Security or IBM QRadar to correlate nShield cryptographic events with broader security monitoring. Document these gaps in your System Security Plan (SSP) Section 13 as inherited controls requiring additional implementation, and create POA&M entries with specific milestones for AC-3 remediation within 60 days and SI-4 implementation within 90 days. The third gap typically involves IA-5 (Authenticator Management) requiring implementation of multi-factor authentication solutions like RSA SecurID or Duo Security for nShield administrator access. Priority order for gap closure: (1) AC-3 implementation (highest CMMC assessment weight), (2) SI-4 deployment for continuous monitoring, (3) IA-5 MFA implementation for administrative access. These gaps represent approximately 15% of total NIST 800-171 requirements and require dedicated budget allocation for compensating controls.
Compliance Cost Estimate
Entrust nShield implementation costs range from $45,000-$120,000 for initial HSM appliances plus $8,000-$15,000 annually per appliance for support and maintenance. Professional services for NIST 800-171 configuration typically cost $25,000-$40,000 including policy development, integration, and documentation. Ongoing monitoring and administration require 0.25-0.5 FTE security personnel ($20,000-$40,000 annually) for key lifecycle management and audit compliance. Annual licensing for enterprise management software adds $5,000-$12,000 per management console. Total three-year cost of ownership ranges $150,000-$300,000 depending on organization size and redundancy requirements. Compared to competitors like Thales Luna ($40,000-$100,000) or AWS CloudHSM ($1.50/hour), nShield provides superior FIPS 140-2 Level 3+ certification but requires higher upfront investment. ROI justification includes reduced compliance audit costs and potential contract award advantages for CMMC Level 2 certification.
Compliance Cross-References
Entrust nShield directly satisfies DFARS 252.204-7012 encryption requirements for CUI protection and supports CMMC Level 2 Cryptographic Protection (CP) domain practices including CP.L2-3.13.16 (cryptographic mechanisms protection) and CP.L2-3.13.11 (FIPS-validated cryptography). The solution maps to FedRAMP controls SC-8, SC-12, SC-13, and partially supports SC-17 through public key infrastructure capabilities. For CMMC assessments, nShield provides evidence artifacts for assessment objectives including cryptographic key management documentation, FIPS 140-2 certificates, and audit trails demonstrating proper key lifecycle management. However, additional tools are required for CMMC Access Control (AC.L2-3.1.1 through AC.L2-3.1.22) and System Monitoring (SI.L2-3.14.1 through SI.L2-3.14.7) practices. Integration with Microsoft SCCM or Tanium satisfies Configuration Management (CM) requirements, while SIEM solutions address Security Assessment (CA) and Risk Assessment (RA) domains. Document nShield's role in your CMMC self-assessment as a foundational cryptographic control supporting Level 2 certification readiness, noting dependencies on complementary access control and monitoring solutions for complete domain coverage.
Frequently Asked Questions
How many NIST 800-171 controls does Entrust nShield cover?
Entrust nShield covers 8 of 110 NIST 800-171 controls (7%), with 2 partially covered and 3 gaps.
Can Entrust nShield alone satisfy CMMC Level 2?
No single tool covers all 110 NIST 800-171 controls. Entrust nShield covers 7% and should be part of a layered security stack addressing the remaining controls.
What controls does Entrust nShield not cover?
Entrust nShield does not cover controls pe-3-10-1, ra-3-11-1, si-3-14-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.
Map Your Full Security Stack
See NIST 800-171 control coverage for 80+ security products.
Open NIST Tool MapperTrack Entrust nShield NIST 800-171 coverage updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days