Last Updated on March 16, 2023
If you’re a supplier to the US Department of Defense (DoD), National Aeronautics & Space Administration (NASA) or other US federal agency, you’ve probably heard the buzz about the new Cybersecurity Maturity Model Certification (CMMC) compliance requirements, along with intensified enforcement of NIST 800-171 compliance that includes more audits from DCMA’s DIBCAC.
A significant hurdle with either of these cybersecurity frameworks is the high level of security required to protect Controlled Unclassified Information (CUI). Among the requirements starting at Level 3 is the need to block non-US citizens from accessing CUI—which renders popular commercial SaaS products like Microsoft Office 365, Google G Suite, Dropbox and Box noncompliant.
For many O365 users, options like hosting your Exchange server on-premises or migrating to the GCC High cloud would be prohibitively expensive and time-consuming. Are there any less costly/disruptive alternatives?
A recent episode of The Virtual CISO Podcast looked at this question in-depth. It features special guest Sanjeev Verma, Chairman and co-founder of PreVeil, a cybersecurity software provider that offers a CMMC-compliant email and file sharing solution that brings end-to-end encryption to O365 and other commercial SaaS environments.
It quickly comes out in the discussion that moving from O365 to the Microsoft GCC High cloud environment can take months and cost at least $25,000 in consulting fees alone, even for very small firms. Then there’s the extra per-month/per-user costs, which more than double (or triple) with GCC High compared to O365 Enterprise. Ratcheting up the ongoing costs even higher is the need in most cases to move the entire organization to GCC High, not just the people handling CUI.
“If I’m listening to this and I’m going, ‘Holy Crap! I can’t afford 50-grand plus an additional 10,000 bucks a month forever!’, what are my options?,” asks host John Verry, Pivot Point Security’s CISO and Managing Partner.
“This is where a company like PreVeil comes in,” reassures Sanjeev. “We built an end-to-end email and file sharing system that is really simple to use because it handles the fundamental [security] challenges faced by any computer system, including O365, Gmail, etc., and protects users from this ever-persistent threat.”
“But it turns out that PreVeil is an exceptionally good solution for handling CMMC in an economical way,” explains Sanjeev. “With email you basically retain your email address, and you send and receive email with end-to-end encryption, by which we mean that emails are encrypted on your device and can only be decrypted by the recipient and no one else. They are always encrypted on the server and even we as the service provider cannot decrypt those on the server. By default they are stored on AWS GovCloud, but if somebody wants they can also store them on-prem.”
Sanjeev continues: “The same holds true for file sharing. You can think of PreVeil like a Dropbox, a Box or a OneDrive file sharing and collaboration system. But it’s different in that underneath the covers is end-to-end encryption. So your files get encrypted right on your computer or your phone, and they stay encrypted in the cloud. The only people who can decrypt them are the recipients.”
With PreVeil, SMBs don’t need to rip n’ replace their O365 or G Suite—PreVeil is an overlay service. Users retain their familiar inboxes and email addresses. Provisioning PreVeil takes just a few days.
“So when you’re sending an email to another person who’s handling CUI, that email goes end-to-end encrypted. It’s stored in the appropriate cloud, and complies with CMMC [and NIST 800-171] requirements. But for other staff not handling CUI, you just continue to use O365,” clarifies Sanjeev. For the user it’s all pretty transparent and automatic.
What about emails and files that aren’t CUI? Sanjeev likens PreVeil’s behavior to how text messages work on an iPhone. iPhone texts sent to Android users go through the SMS network, while iPhone-to-iPhone texts go as “iMessages” through Apple’s network—but the phone number involved is the same. Similarly, if an employee who handles CUI emails her teenage daughter during the work day, that data goes unencrypted through O365. If she sends CUI to a colleague at the DoD, that email is automatically encrypted. There are other use cases, of course, but it’s basically that simple.
If your business uses cloud services for email and file sharing and needs to comply with CMMC Level 3 and/or NIST 800-171, you probably should check out PreVeil—and also this highly informative episode of The Virtual CISO Podcast with Sanjeev Verma. You can listen to the complete podcast here.
If you prefer not to use Apple Podcasts, click here.