Transcript: How to Maximize Your CMMC Investment
Sanjeev Verma: My name is Sanjeev Verma and I’m co-founder and chairman of PreVeil, a company that provides end-to-end encrypted email and file sharing systems to protect your controlled unclassified information and ITAR data, among other sensitive business data.
Welcome to our webinar on building a winning cybersecurity program. I’m really pleased to be able to be joined on this webinar with our partners, Cliff Neve from MAD Security, which is one of the leading providers of security and compliance solutions, consulting practices. Cliff’s, a veteran, 26 years in IT and cybersecurity. Just before I came in, I was very much appreciative of the fact that he was a commander in the Coast Guard and served alongside my classmate and friend, Admiral Petkoski. Also joining us is our partner and a managed IT services provider, Simple Helix, and representing them is Scott McDaniel, who is, again, a telecommunications and IT veteran and a proud alum of Auburn, with both a bachelor’s and an MBA from them.
So welcome. You’ve got the entire gamut of what it takes to become CMMC compliant in the form of expertise in consulting from Cliff, expertise and knowledge of CMMC, from Scott, and the ability to go and provide the services that are necessary. A bit about myself. I’m the third leg of what is necessary to provide, to get to CMMC, particularly level three, is tools that are used to store and share CUI and ITAR. As many of you know, CMMC is fundamentally about securing your controlled unclassified information, FCI, and also for those that deal with ITAR, that as well. Basic tools like O 365, which is how you communicate information, store it on OneDrive, et cetera, they are not compliant. So PreVeil is a company that provides a simple tool that allows you to stay on O 365 and G Suite and protects your control and classified information for CMMC using a technology called end-to-end encryption and using principles of what you’re probably increasingly hearing about, which is zero trust, so welcome.
Our agenda today over here is that Cliff and Scott are primarily going to talk to you about the basics of DFARS, going from DFARS to CMMC, how are the two related, and then they will basically simplify your journey to CMMC compliance to four essential steps. As many of you are aware, there are 130 controls, 17 domains, enough to make anybody’s head spin, especially many of the small to medium businesses represented today. So it is Scott and Cliff’s job today to bring their expertise to simplify it to four essential steps that’ll get your organization to compliance. After which I will be happy to share a bit about technology tools, including the ones that we provide for protecting controlled unclassified information.
We’ll have extensive opportunities for folks attending to ask lots of questions. We encourage you to do so. And following that will be a breakout, where this webinar continues and Scott, Cliff and I will be available to handle more questions. So welcome again, thank you so very much for participating, and over to you Cliff and Scott to give additional color about your backgrounds and then onto the agenda for the day.
Scott McDaniel: Yeah, so thank you, Sanjeev, for having me. Again, my name is Scott McDaniel with Simple Helix, having a long background in IT from an infrastructure side, right? So I’ve worked for telecommunications companies, I’ve worked for hardware telecommunication providers, and then worked through disaster recovery planning, business continuity planning, and now of course cybersecurity. So I kind of wanted to kind of go through a little bit of this transition of DFARS 7012 and then transitioning over to the new standard of CMMC. And with that, I always kind of like to start the conversation, well, why? Why do we have to be cyber compliant and then why is the government mandating that we go do this stuff? And so to put it quite frankly, the attack vector or the number of people and the number of attempts to hack into our organization is growing exponentially.
Over the past number of years where it used to be more of hey, we’re trying to hack in to get intellectual property, there’s now real money involved. When I say real money involved, in 2021 the underground monetary industry around cyber attack will be a $6 trillion industry that you can go try to get a piece of if you’re trying to do malicious activity. So the DoD and at the Pentagon, they have been cyber aware for many years now and they have done a great effort to make sure that they themselves don’t get compromised. But what’s happening is as the DoD does leverage more of us in the commercial space or in the defense industrial base, they’ve identified that we, as contractors and subcontractors, we’re the weakest link at this point. So there needs to be some attention brought towards becoming more cyber secure because this attack vector is getting so big.
So there is the idea that the government’s come up with these cybersecurity compliance standards that we need to adhere to, but you as yourself and as you’re operating your business, you too should want to be cyber secure mostly to protect the intellectual property, or like I like to say, the secret sauce of your business. You don’t want to just immediately be compromised in such a place to have to pay, say, a ransomware, or hey, maybe your competitor gets your intellectual property and they use that to compete against you. So between those two activities, it should be bringing this urgency to your business that you need to get started now because it’s not easy and it does take time to mature the cyber security within your organization.
So within that, other reasons why you need to prepare specifically for CMMC is that it is an evolutionary step from the original DFARS 7012. So you’re going from, let’s just say you’re going for CMMC level three. If you had done DFARS 7012, that was 110 controls, now there’s an additional 20 controls that you now need to go address within your organization. Now, on the plus side with CMMC as I mentioned, yeah, there’s now levels, so maybe this will work better for your organization. What I mean by that is your business, maybe you supply hardware, right? You supply nuts and bolts and things. Well, there’s not too much intellectual property in the definition of a bolt or nut per se. So maybe you end up having to go just to CMMC level one, where in the past with the DFAR 7012 you either did all 110 controls or you didn’t. Now with the concept of levels, if you are that supplier, maybe you only have to do level one, which is only 17 controls. So that helps control your cost, but if you are doing something more advanced, you’re developing software, doing machine learning or getting information or CUI directly from the DoD, that’ll drive you to a CMMC level three, which will be a little bit harder than in the past.
Now, with regards to CMMC directly, it is introduced, it is live right now, but it is a phased rollout. So the standard went live in January of 2020 with the concept that here in 2021 there will be a subset of contracts that will have a CMMC clause in it. The year after in 2022, we’ll see more contracts with a CMMC clause in them, that will ultimately lead to DFARS 7012 getting retired and CMMC becoming the replacement in 2026 and it’ll be known as DFARS 7021. So I say all this to say that there is urgency to get done, we are in a transition period. There are good things that come from CMMC, but at the same time, we can’t forget DFARS 7012 either.
So regardless of if you’re doing DFARS 7012, CMMC or really any other cyber security compliance module, right, a SOC 2, or a HIPAA or any compliance project between the three of us here with you today, we’ve come up with four steps towards CMMC compliance. And so with that for the first step, Cliff, you want to run with talking about baselining?
Cliff Neve: Of course. Thanks very much, Scott. Appreciate that. My name’s Cliff Neve. I served 20 years in the Coast Guard, as Sanjeev mentioned, the last three of which were standing Coast Guard cyber command as the chief of staff and that acting deputy commander. What’s interesting is that way back then in 2013, DFARS was already being discussed during my entire time there. So the concept of protecting controlled unclassified information is not at all new. In fact, from 2013 on it’s actually been contemplated as a requirement. So in many ways, starting in 2017 and since then, this is all things that defense contractors are supposed to be doing. So contrary to what a lot of people think, the first step isn’t to just run out and buy a technology, and it sounds funny to do that, but we see it every day.
I could go on all day about clients that go out and buy technology and then come back to us afterwards and say, “Okay, we have this technology. Now how do we implement it to meet CMMC compliance?” And I call these folks ready fire, aim clients, because they’re doing things in reverse and they’re not getting the requirements in place, first of all, to figure out what it is they need to do from a business perspective before they even start talking about technologies and how they should proceed.
So your first real step is gaining a baseline understanding of what your requirements are and what it is that you’re defending. Along with your business and mission drivers, you must know what data resides on your systems. If we’re talking CMMC, then clearly controlled unclassified information is the data classification that we’re talking about the most, and Scott discussed that quite a bit previously. So you also need to know who in your organization actually needs access or is going to need access to controlled unclassified information. And this becomes an interesting conversation because less than half the organizations that I talk to have a good understanding of what types of data they process, who does have access to the data and who needs access to that data. But what you can do is by figuring that out and by determining that requirement, you can determine who actually does and doesn’t need to have access to this controlled unclassified information.
To me, one of the biggest benefits of CMMC and DFARS isn’t raising the security of all the networks in the world, it’s stopping the widespread spread of controlled unclassified information in the places where it really doesn’t need to be. So when you know and understand what your security boundary is based upon who actually does or doesn’t need access to controlled unclassified information, when you have that boundary scoped, when you look at what types of systems are within that boundary, whether it’s just routers and firewalls or whether you may also have some interesting other operational technology systems, whether you have third party connections, those are all things that could be in the scope of your CUI environment.
So what we try to do is get together with you and go through and analyze what your actual needs are, what you need to protect and figure out how to reduce your attack surface, which makes you both more secure and potentially saves you significant money investments that can be put in other higher priority things. So as I mentioned, there’s a reason the DoD doesn’t secure their entire worldwide network to the standards of their top secret JWICS or even secret categorized SIPRNet. That would be very expensive and you’d be overexposing that data by putting it on the same network that everybody’s on.
So it might be that during the course of your baselining and requirements that you find that it is in your best interest to secure your entire network to a certain standard, but that then becomes a business decision that you make and that your C level makes with eyes wide open. We then conduct a gap assessment, and when we conduct the gap assessment, we look at all 130 controls. If it’s a CMMC level engagement, we go through each one with the projected or in place CUI boundary and determine what your gaps are in the way you’re currently protecting those controls or meeting those controls. Then we come up with findings and a plan of action and milestones that is more of a project plan for how you can meet your objectives for securing your CMMC environment and meeting all of those controls.
The toughest ones that we see with the gap assessments tend to be auditing. By that what I mean is that things like some of the 20 supplementary controls, which are above and beyond in NIST 800-171 controls in order to meet CMMC level three, two of them are, one is review audit logs, and the other is collect audit logs in a central repository. Those can be kind of difficult to do without having a SIM or a similar tool that allows you to do that with skilled eyes, and you know can have a set of clubs, but you can’t necessarily swing them like Rory McIlroy does. So having a SIM or having these tools doesn’t necessarily mean that you can meet these controls from a maturity perspective if you don’t know how to use them. So finding ways that you can meet technological controls that are difficult like this, finding novel ways, whether it’s through technologies or partnerships that allow you to make your enclave such that some of those controls are handled for you is a very wise way of moving. Next slide.
Scott McDaniel: Yeah. So once you’ve gone through that baselining effort, so now you understand what your scope is going to be, you understand that there are some gaps that need to be closed and then you have a project plan to go get those closed, then you actually come into implementation. So like us at Simple Helix, we see so many people always rushing to implementation without a plan and it does make implementation way harder, right? Because you’re chasing tools, you’re chasing configuration, you’re chasing all these things, but you don’t have that clear plan. If you followed our advice and you actually have that plan, and now when you step into implementation, things go much smoother and much quicker, because now we are executing from a project plan, we’re just sitting there trying to close identified gaps, so we know what the gap is and now we have a solution for that gap. And the solutions for those gaps, I mean, it could be introducing a new tool, it could be coming up with a new policy and procedure and it could be employee training.
So as you’re going through implementation, all three of these could be going on in parallel and you could also be leveraging a company like Simple Helix to help you through that implementation, right? So we do many, many of these implementations day after day. So we know what to look for inside of an, say, an O 365 environment. We’re familiar with multiple brands of firewalls and things like that, but we also have the added benefit that we’ve worked with other customers. We’ve seen how they’ve approached solving problems instead of maybe always using a technical solution, they solve it with a policy and procedure. But ultimately, it is once you’ve gotten through kind of that initial draft of an SSP, you’ve got your gap assessment done, you’ve gotten your POAM in place, step two, implement the plan, right? So we move through those steps.
Next time, please. So then step three becomes what I refer to as enacting. So ultimately realize that we’re on this journey that will lead to an assessor showing up and doing an onsite assessment, or in any other standard beyond CMMC, and audit. So one of the things that we like to stress is that after you’ve finished your implementation, realize it’s going to impact the culture of your business, it’s going to impact the ways that you do things. So you want to live and breathe by it for a little bit before letting that auditor show up. So because what you’re going to find out is that you may have had the best intentions with your policies and procedures, but once you actually try to live with them for a while, hey, it’s not exactly the best thing. So you want that opportunity to change this before the assessor comes up.
So from a leadership perspective, you want to monitor your staff and how things are progressing, and make sure that this isn’t hurting your business, but empowering your business. You’re also going to want to continue that ongoing training with your staff. So from that perspective, things like training around phishing email attempts, and training folks, hey, when you see that you get in that random email that says the CEO of your company wants you to transfer money to this, routing and checking number, you don’t want to do that kind of stuff. But they’ll also be training with the new policies and procedures. You’re probably going to update your handbook, you’re going to be updating the way that computers work. So you might have some technical training around the new software applications and things like that.
So all of that leads to some continuous improvement and an opportunity to resolve issues that grow after the implementation is complete. So with that, your suppliers and your consultants and things, they may inject some influence during this time as well. So from that, leveraging some outside resources to help you before you move into step four could be beneficial as you’re now maturing this up.
So Cliff, do you want to talk about the assessment itself?
Cliff Neve: Definitely. So when you’re ready for an assessment, one of the things that you’re going to want to make sure to do is to be prepared for that assessment. Usually that’s to have, in addition to a self-assessment, to have an RPO, registered providing organization, do a gap assessment or take a look at your gap assessment for previous, if you used one earlier, and update it based upon whether you’ve implemented your plan of action and milestones, and hopefully somebody’s been updating those plan of action and milestones so you know where you stand. It’s really not worthwhile to have a C3PAO come in unless you’ve met all of the controls that are included, because there are no POAMs that are going to be allowed. You’re going to have to actually meet all of those controls straight on, or they need to be NA, one of the two.
So you have to present proof of controls met to the assessor, which is a change from the old DFARS way of doing things, which is a self-assessment. So you’re going to have to give those artifacts to them, and clearly having those prepared in advance with the help of somebody who knows what they’re doing and understands the auditing system is going to be very helpful during that audit process. The C3PAOs are being vetted right now. There are folks who have been through the training and have been provisional assessors. There are companies who are going to be designated C3PAOs, and there’ll be a marketplace where folks can see which organizations those are that come and provide that. But one of the things that I’ll stress is that everything that we’re hearing and everything that we’ve seen from those assessments are that you can’t just do it overnight.
You can’t pull an all-nighter and write an end of semester paper and turn it in and expect to pass. You have to show maturity in these processes. So you can’t just say, “Hey, we implemented these things yesterday, can you check them off?” You need to be able to show that it’s part of your process, that you have it implemented as part of what it is you’re doing. So those folks who are just now starting are going to want to get on the stick because what’s required for an audit is more than just I have it in place, it’s showing that level of maturity.
Then as far as continuous improvement goes, you’re going to be required to continue to show that you are meeting those controls. We’ve heard different things as far as what the cycle is going to be, depending upon what level you are for CMMC and some other things and what types of spot audits may be conducted. But clearly once you’re compliant, you’re going to want to keep compliant, and that’s by managing all of your controls, by doing regular assessments and audits.
Scott McDaniel: Yeah. So now to kind of talk through some of the cybersecurity practices and the technologies for protecting CUI. Ooh, we lost our slide deck there. So yeah, so we definitely wanted to take an opportunity to kind of talk through some of the specific things with CMMC and where we all kind of jump in and help out.
Sanjeev Verma: I suppose that the silence means that it is my turn to say a few words about that. So I’d be happy to. I’ll start first by summarizing what Cliff and Scott mentioned and put it pragmatically in terms of the following. Look, at the end of the day, the environment that we are operating in today is dramatically different than just four or five years ago. The compliance regime that has been put into place by the Department of Defense in terms of both self-reporting, which is the DFARS clauses that Cliff and Scott alluded to and CMMC, are changing the game in terms of expectations. So I want to say a few words about this thing. So four or five years ago, cyber attacks were just showing up. They weren’t headline news and so forth, they were still happening. So the majority of the industrial base is certainly concerned about cybersecurity, taking it seriously, but there is no objective criteria, and so therefore, given all the things that are going on, you say, “Well, let’s try to keep making improvements and keep moving the goalpost incrementally forward.”
But all that has changed because attacks are now, as Cliff and Scott mentioned, very severe and the new regime in essence has put objective criteria in place to measure how good a company is in terms of its cybersecurity readiness, and that’s what DFARS is doing through its self-assessment. When you look at it that way, you now have this criteria and you got to make this choice, should I do things incrementally, take my time, all of which were probably fairly reasonable strategies a few years ago, but are no longer reasonable and no longer in your business interest, and here’s why. Number one, as you submit your DFARS score, you now have an objective score, sort of like your SAT score.
So when a partner is selecting you to be on a bid with you, or the DoD is looking at you, they now have an objective measure to look at and say this entity has a security score of X versus Y, and it doesn’t take much more than common sense to realize that if you are objectively at a much lower score than your competitors, it’s not going to be a pretty positive picture in terms of a critical criteria for selection. So therefore, it is important to put into place a program to start taking cybersecurity seriously, because if for nothing else, even if you’re saying, “Well, I won’t be attacked, or it’s unlikely.” Et cetera, it is an objective measure for looking at how secure you are and a selection criteria for you to be on a program or as part of a bid or not.
The second is, in the past, one could have viewed compliance as a check the box. Well, let me see if I can basically go and put things in and I check the box, and both CMMC and DFARS are now putting a big hindrance to the check the box mentality, and here’s why. Number one, as Scott mentioned, in order for you to be CMMC compliant, you’ve got to show maturity over a period of time. You can’t just basically go and say, “I put a policy or procedure in place.” Check the box and sort of move on. The second reason is that effectively cybersecurity matters, and even if you feel for whatever reason that you are at a low risk, if for whatever reason you are compromised, the cost of addressing that breach, no matter how insignificant the breach may be, will be immense. It’ll take you many, many months, potentially years to go and come up with here’s what happened, here are the forensics for it, et cetera.
So a check the box mentality in terms of selecting appropriate cybersecurity technologies, et cetera, is not a wise thing. So with that, let’s take a step forward and take a look at answering the questions of, okay, you’ve gone through the process of assessing where you are. Cliff and Scott have helped you create a plan and you’ve implemented, you’re beginning to implement the plan in terms of tools and processes. So what is PreVeil doing over here? Many of you have heard about GCC High and you’ve heard about PreVeil perhaps. What are these companies doing and why are they important? Well, the fundamentals of CMMC and DFARS are that you’ve got to protect your controlled unclassified information, and your controlled unclassified information is protected by storing it securely, sharing it securely, and you do so in the form of files and in the form of emails.
Those are the basic tools that you’re using. When it comes to CMMC. The basic business tools for communication, which is Office 365, or your fundamental exchange servers, or your G Suite are no longer deemed secure enough. So therefore you’ve got to come up with a new set of tools to store and share controlled unclassified information. Therein, the two choices that are available are, one is GCC High. You basically go and work with Microsoft and you will be asked to rip your existing system and replace it with what’s called the GCC High. It’s a government cloud with a high security, and you rip everything and you replace it. Again, you still work with Cliff and Scott and work through the gaps that are not addressed by GCC, and ultimately you’ve got yourself a system that is ready for compliance.
GCC High is a capable system. It is certainly thoughtfully designed and gets you on the path to compliance, but for most small to medium businesses, it is disruptive in terms of you having to rip everything and replace everything and it is very expensive. So that’s one choice available. And again, these are fundamental tools that you will have to essentially get because there’s no other way for you to store and share your controlled unclassified information.
The other alternative is to go with PreVeil, and PreVeil essentially takes a very different approach to cybersecurity. It is a zero trust end-to-end encrypted system, and we’ll speak more about it, but at a very simple level, what PreVeil says is identify the number of people that have access to controlled unclassified information. Continue to use your O 365 or Gmail and simply quickly overlay it with an encrypted system like PreVeil. PreVeil will provide you with encrypted email and file storage and sharing. The email is just like email, it’s in our Outlook and Gmail or whatever. The file sharing is basically think of it like a OneDrive or Dropbox or box, just a folder on your computer. That’s where you store and share information. But the important part of it is you’re not ripping anything, replacing anything. You just identify the folks that deal with CUI, deploy PreVeil to their computers and phones, and now you’re communicating your CUI to those folks on an encrypted system.
What makes PreVeil better? Two things. One, the ease of deployment and cost, which is dramatically lower. Takes a day to deploy versus months on GCC. And the cost is typically 70% or so lower than a GCC system. So those important criteria. The second and perhaps more important criteria is security, and therein lies a distinction between these two systems. So many of you are now hearing of what are called zero trust systems, or you’re hearing of encrypted or end-to-end encrypted systems. So what are these? In simple terms, the old way of looking at things was, and this is how O 365, Google, all the systems that you use to general design are what are called a fortress mentality. In a fortress mentality, you basically look at your information and you build a fortress around it and say, “I’m going to use advanced technologies to prevent the bad guys from getting there.”
But as you have seen with the latest Exchange breach and the ongoing breaches that have occurred over time, these tools that you’re using are made of software, they have bugs, and inevitably the attacker gets through. So when they get through, they get access to your information. Modern systems like PreVeil, like Signal, as an example, work with a zero trust mindset. A zero trust mindset basically is what the NSA is now recommending. They’re saying that the DIB are to go with a zero trust mindset, and what that means is you assume that your systems will be breached, that your servers will be breached, that your admin will be breached, that your user passwords will be compromised. You assume that that perhaps has already occurred, and so you put into place systems that can protect you even if that happens, and end-to-end encrypted systems are the systems that can do that.
So I’ll give you an example. Some of you are used to Signal. In a signal system you don’t trust the password, you don’t trust the provider’s signal, you encrypt your message, it’s a messaging application, you encrypt your message on your phone and it can only be decrypted by the recipient, it’s stored on your server, always encrypted. So if it is attacked and the attacker gets through, all they get basically is encrypted gibberish. So it’s essentially a system that assumes the attacker’s going to get through and you get nothing. PreVeil is basically just like that, there are three players in a email and a file sharing system. There’s a user, there’s an admin, and there’s a server. We don’t trust any of them. We don’t trust the admin, so we assume the admin could be compromised. We don’t trust the server, we feel that the server will be compromised eventually, and nor your user password.
As an end-to-end encrypted system, in a PreVeil system, when your user password is compromised, your information is secure because you need a key on your computer and that key is unguessable. If your admin is compromised, your information’s secure because no single admin can access your information, and if the server is compromised, there’s just gibberish over there. So in a nutshell, these are really simple systems from a usability perspective that provide protection to your information even if admin servers or users are compromised, and those are the differences between a GCC, again, a very capable system, and a PreVeil. So just a overview and I’d be happy to take more questions, because I said quite a few things and I’m sure there’s a lot of folks wanting to get clarifications on that.
Scott McDaniel: Yeah, so I’ll throw out a question for Cliff. So one of the questions we had gotten was, well, how do I create an SSP?
Cliff Neve: Sure. So there’s several different ways to do it. The one that I recommend is having an SSP that makes things auditor proof. By that I mean when we create an SSP, we do it control by control and we talk about how each and every control is met, and so that when an auditor sees it or somebody sees it, they’re able to very easily trace it to a policy or to an activity, whether it’s people, technology or policy that is meeting that, as well as any artifacts that might be necessary to show that that control is met. So a lot folks … Oh, go ahead.
Scott McDaniel: I was going to say, yeah, you brought up a really great point around who’s the intended audience for an SSP. And so often we do see people when they try to write it by themselves, they write it as if they’re writing it to the CEO of their company, or they’re writing it to the CTO, somebody internal. You bring up a great point, yeah, that really it’s the auditor, right? You’re writing this thing so that the auditor knows how to navigate to find these things.
Cliff Neve: Definitely. I’ve done hundreds, bordering on thousands of control assessments by this time and gone through them each and every day. You definitely want to make the work on the auditor as easy as possible, and content is critical, security is critical, and you want to make sure that the details in there are solid. At the end of the day though, it definitely does not hurt. You don’t want the auditor to have to go looking for an answer. You want the answer to jump out of the page at them and say, “Yes, this control is met. Yes, this control is met through.” And usually we do that with a separate policy. Sometimes we see people combine their SSP and policy, and that’s okay. It might just make it a little bit more difficult to reference that way
Scott McDaniel: Yep. Here, I’ll kind of give a question for me that I get asked almost every single day, which is what’s the difference between O 365 and O 365 GCC High? So it’s a pretty loaded question, but O 365 at the highest level does come in multiple flavors. What I mean by that is there’s a flavor for home and student, there’s a flavor for commercial businesses, mostly for small businesses and medium size businesses. Then you move up into O 365 enterprise. Then there’s the O 365 GCC and then ultimately GCC High. So as we’re moving and trying to do the DFARS 7012 and the CMMC and then ultimately ITAR, what O 365 platform you choose really depends on the nature of your business. Then there’s solutions, right? So there are folks out there that say the only way that you can go get compliant is to go into the highest level with that O 365 GCC High.
For us here on this conversation, we’ve always been saying, “Well, that’s not the only way.” Right? Because the challenge would go in GCC High is, one, it is the most expensive platform that you can be in, and you don’t get a choice between who would be considered in scope and out of scope. The whole company goes or nobody goes, or you’re breaking up your company into those that are in GCC High and those that are not. So with options like PreVeil, what we can do is we can keep you in an enterprise space or we can keep you in GCC, but you can still then say, “Hey, only the people who touch CUI or the FCI, they need a copy of prevail.” And now you get some granularity and you get to control your cost depending on what your business is doing.
So every day, I encounter companies that are still 80, maybe 60% or 80% commercial with 20 or 40% of the business doing DoD contracts. Well, you don’t want to pick up the whole company and move them all. What you’d like to do is you’d like to control your costs and say, “Okay, well this 40% or 20% of my staff that’s working on these DoD contracts, hey, I want to leave my whole business in enterprise, but hey, let’s layer in some PreVeil there.” And then for those that do have questions about the nuances between O 365 Enterprise GCC and GCC High, I could talk for hours about it. So from that perspective, call me and I’ll be glad to walk through those with you guys.
Orlee Berlove: All right, I’m going to start asking some of the questions from the audience that have been coming.
Scott McDaniel: Oh, great.
Orlee Berlove: I’ll just start putting them up. So are there cost effective solutions for small DoD contractors that need level three certification? And I’ll let you guys decide who’s going to be best to take that.
Cliff Neve: Yes, in a nutshell, it’s certainly not going to be free, but certainly there are very expensive ways to meet level three, and there are smart ways to meet level three. Clearly from what we’ve seen, PreVeil is a fantastic cost effective means, if it meets your requirements and things like that, that come out of the baseline step. There are also ways to get SIM-like functionality from companies that do SOC as a service that are able to use or collect logs from, if you’re an Office 365 shop, for example, you can collect logs from that and be able to meet your auditing needs. But yes, there are definitely ways, and this is one of those ones where when you pay upfront for an expert to help you build your house, you end up saving a ton of money on all the rework and other things that you’re going to do if you try to do it yourself. Just like anything else in life, having somebody upfront who really knows what they’re doing and can guide you through those is going to in the long run save you money and allow better use of resources.
Scott McDaniel: So yeah, so I can actually give a specific example. So we, at Simple Helix, we had a customer working through the DFARS 7012. So they went through a DCMA high audit. They are a company that has about 20 employees onsite. So eventually you get to this place that you have to do data classification, you have to label documents, right? Are they public, are they private, are they CUI, are they top secret? And so obviously you can go spend a lot of money to implement a data classification toolset as a third party solution, as a piece of software to do that for you. But then inside of like an O 365, there’s a concept of a data classification and some data loss prevention that comes with your O 365, but even for this particular customer, they’re going, “We’re a small company though. We all sit side by side.”
And so for them, they elected to make it a human topic, and they came up with a data classification where they label their Word, Excel, PowerPoint documents with a footer at the bottom, and they made it a corporate policy that when you create a new document, you have to use one of the corporate templates, and in the footer is where it classifies the document, and they passed. They passed the DCMA audit, right? Because again, the controls aren’t prescriptive, you are left to define it. So they went, “Yeah, we trained our employees that they have to classify a document with a footer in the bottom of the document.” They showed the auditor, here is where we have files on a network storage in a SharePoint site, and if you open those documents, you’ll see the label at the bottom. And the auditor went, “Yes, you are classifying your documents. That is perfectly okay to do it in a manual way.” And so there is an example where they didn’t have to spend necessarily money on technology, but they did have to spend some time to do some training.
So that’s where leveraging folks like ourselves that have been through this and we’ve seen these combinations, we can inject some advice along the way to make you help pick the pros and cons of those type decisions.
Orlee Berlove: All right. Here’s another question. This one for Sanjeev. With Google Workspaces not being CMMC compliant, how does PreVeil help with this?
Sanjeev Verma: Well, PreVeil still helps with it because, again, you overlay it with PreVeil. It isn’t fully clear to us as of now whether it is CMMC compliant, but if you are using prevail on top of it, you are able to not only be CMMC compliant but also ITAR ready as well. So for ITAR, you can use a cloud service, provided you meet state department regulation, which is I’m told 120.54, and you can only store and share data for ITAR on a cloud service provided the ITAR, the cloud service is, number one, end-to-end encrypted, and the Google service isn’t, PreVeil is. Second, that the service be such that the cloud provider has absolutely no access to your passwords or decryption keys.
Again, this is what the NSA was saying as part of the zero trust, and PreVeil is exactly that, we have no access to it. And third, that the system is using FIPS 140-2 encryption, which is what PreVeil is doing. So if you are even on a Google system, you overlay it with PreVeil, you’ll get your emails in the Gmail browser, you’ll have your files in your file folders, but unlike the Google system, you will be able to store, share, communicate CMMC CUI data as well as ITAR information as well because of the end-to-end encryption requirements for ITAR per state department ranks.
Orlee Berlove: Great, thank you. Next question is for Cliff. Cliff, what is the most common mistake companies make in preparing for their initial assessments?
Cliff Neve: Overestimation of their security posture. And I see it quite a bit from, and I can say this because I was an IT person, typically companies that have IT people overestimate their ability to secure the networks and systems that they created and they haven’t had third parties come in and look. For example, we have folks who say, “Hey, I’ve been a network engineer at this company for 15 or 20 years.” And that’s awesome, but they’ve only seen or applied the controls to those few places that they’ve been, whereas an auditor who comes in has seen hundreds of different applications and they generally find issues where somebody who built the network or built the systems wasn’t looking or wasn’t paying attention to. So I would say that that’s the biggest.
The second one is probably choosing simple compliance over security, meeting the letter of the control without actually meeting the spirit of it where they’ll say, “Hey, we’re logging, all of our logs are going to a central repository.” And then it’s like, okay well, are you reviewing those logs? And they’ll say, “Well, we do if there’s an incident.” And it’s like, no, that’s not how it works. You’re supposed to actually review them to find incidents in addition to the others. So we see people who say, “Well, technically I meet that control.” But they’re not doing so in a truly secure way. And I think that that was when Sanjeev talks about zero trust, and that’s one of the things that I always like to hear him talk about, how important that is to actual security, and folks who want to be both secure and compliant as opposed to I just want to be compliant, I want to put the least amount of effort in to check the box. Those are probably some of the more frustrating folks we work with.
Orlee Berlove: All right. I have one more question for Scott and then one more for Sanjeev. Scott, where do you see organizations overspending on trying to achieve CMMC compliance?
Scott McDaniel: Oh, that’s a great question. So where I see most organizations overspending is maybe not on one particular technology, but going and buying technologies before they actually have a strategy in place. So frequently what we see is people will go, “Hey, we know we got to go to O 365 for our implementation, so let’s go get in O 365 and we are going to turn this on and that on, and this other stuff on, and we’re going to figure out the rest of it later.” And then what ends up happening is, hey, that stuff that they needed to figure out later actually contradicts with movements that they’ve already made. So that either results in us reconfiguring and redoing work, which costs them extra, or hey, it actually isn’t the right thing. So now we got to go turn that off to go get the right thing. There’s normally some penalties and things when you’ve gotten into a subscription, whether that’s hey, you’ve bought something on an annual basis and it’s not the right thing. So I don’t necessarily want to say it’s just one particular application or something, but absolutely executing before having a plan and then going, “Oh, I wish I had thought this through after the fact.”
Orlee Berlove: All right, Sanjeev, we have a last question for you, and then I think we’ll need to wrap up. We’re almost at the top of the hour. Does the PreVeil solution meet all the DFARS 7012 requirements for cloud computing?
Sanjeev Verma: Well, the PreVeil solution is not the entirety of the DFARS 7012, but what it does is it meets the substantial parts of at least 800 DFARS 7012 requirements as well as CMMC requirements, either all by itself or in conjunction with policies and procedures. There is a white paper on the PreVeil website on CMMC, it’s called the CMMC White Paper, and that basically lists control by control, the controls that we address and how we address them. You are welcome to go and download that, and that’ll give you a sense for it. In general, what you will find is that if you are a standard O 365 or G Suite user for DFARS 7012, if you were submitting your scores with the use of prevail, your scores would go up approximately 40 to 50 points just through the use of prevail because of the advanced security and encryption that provides.
Again, there is a white paper that is on the website that you can access on that. So that’s my answer to this question. I did want to add one important aspect to the previous question that was asked to me about the Google environment. In addition to the ITAR, one of the more important things, and I forgot to mention that, for using PreVeil with the Google Suite, is that it enables you to seamlessly communicate with your suppliers and others. So for example, if you are on Google, somehow you have thought through and have put together an environment that’s compliant, but what if you are sending an email or sharing a file folder with somebody who is on O 365? You can’t just do that with the current environment. So again, having overlaid PreVeil over there handle your CUI, you are perfectly protected, but also you can share the files and the folders and send electronic mail, cross platforms, whether the other party is on O 365 or Google. So that’s another benefit of the system as well.
Orlee Berlove: All right. I think you might want to just wrap up, Sanjeev, and instruct people that we’ll have our breakout session.
Sanjeev Verma: Sure. Well, again, I wanted to thank everybody for attending. I appreciate the overview and it was an excellent overview provided by Cliff and Scott. I’ll just conclude by saying, look, this is not an insignificant, not an easy journey, and it is a journey that while a highly experienced and highly proficient group of individuals or professionals who have both security and compliance backgrounds could conduct themselves, for most organizations, the help that Cliff and Scott and organizations like Simple Helix and MAD can provide will be invaluable to make your journey smooth. The consequences of sort of not attaining compliance, especially with CMMC, are drastic because you are no longer able to address it through a POAM, and the consequences are that you are not CMMC compliant. So I would say in essence, in this particular case, I would feel that while you can do it yourself, it’s a helpful thing to go with organizations and professionals like Cliff and Scott. Again, thank you so very much for participating in this. Appreciate your questions.