Last Updated on June 9, 2021
Many SMBs in the US defense supply chain are rightly concerned about the high level of effort that is potentially required to achieve compliance with the DoD’s Cybersecurity Maturity Model Certification (CMMC) framework at Level 3 or above. Is there any way to apply the Pareto Principle, aka the 80/20 Rule, to advance towards CMMC compliance at a faster, cheaper cadence?
To explore this hot topic, a recent episode of The Virtual CISO Podcast featured Sanjeev Verma, co-founder and CEO of PreVeil, a cost-effective, end-to-end encryption solution for email and file sharing. Hosting the show as usual is John Verry, Pivot Point Security’s CISO and Managing Partner.
During their conversation, John and Sanjeev talk about 4 products/capabilities that can collectively get an SMB well on its way to CMMC Level 3 (or NIST 800-171) compliance with far less struggle and cost. These are:
One: End-to-end encryption for email and file sharing
No surprise here, as PreVeil is well known for helping SMBs “… bang the heck out of a lot of the more challenging elements of CMMC,” as John puts it.
A number of Pivot Point Security clients have implemented PreVeil to support their DoD cyber compliance programs, with excellent results. Further, Sanjeev describes how a PreVeil customer aced a DIBCAC audit of their NIST 800-171 compliance posture thanks in no small part to their successful PreVeil implementation.
For particulars on how PreVeil can support CMMC compliance, see this PreVeil whitepaper on the subject.
Two: An SMB-friendly SIEM solution
As John notes, the right security information and event management (SIEM) solution can provide a similar value proposition to PreVeil for SMBs seeking CMMC compliance, in that a relatively small investment can yield big security and compliance results.
“One of the products that I particularly like for smaller orgs with CMMC is what used to be AlienVault—now it’s referred to as USM Anywhere, which is AT&T Cybersecurity,” offers John. “What I really like is not only does it package in your SIEM [and log management] capability, but also it includes asset discovery and asset management. You can also do vulnerability assessments through the tool, [along with] network IDS and some behavioral monitoring. You can get someone up and generating events and alerts and running scans and seeing data in the environment literally in hours. And you can begin to really optimize the solution over days or weeks, which from a complexity standpoint is pretty remarkable.”
According to John, USM Anywhere “touches on” 15 of the 17 CMMC domains, and either directly supports or helps you validate and monitor roughly 80 (which is about 60%) of the 130 controls at CMMC Level 3. Another big benefit is the tool’s ability to generate artifacts that SMBs will need to pass a CMMC or NIST 800-171 compliance audit.
Three: A strong, appliance-based antivirus system
You won’t even get to CMMC Level 1 (so-called “basic cyber hygiene”) without antivirus/anti-malware protection in play. Plus, with all the threats out there, what are you waiting for?
Four: Two-factor authentication
CMMC Level 3 mandates: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”
That’s pretty broad-brush! A third-party or in-house expert with compliance experience can help you interpret what this and other CMMC authentication controls mean for your business. But the bottom line is that you’ll need to implement 2FA in line with the scope of your controlled unclassified information (CUI) to get through a CMMC Level 3 audit.
“If you basically take care of these four products/capabilities, you’re well on your way to CMMC compliance,” Sanjeev shares. “The rest of it is working with entities like [Pivot Point Security] to make sure that your systematic program collects the right artifacts, provides the right documents and demonstrates that you’re doing what these products and capabilities are enabling you to do.”
“I think the only other thing you might add to that list is some type of mobile device management (MDM)—if MDM is in play,” adds John.
“Simple systems and competent guides and an early start is the way to get to the Promised Land,” encapsulates Sanjeev.
“I think that might be our new motto!” laughs John.
Need to accelerate your CMMC Level 3 or NIST 800-171 compliance efforts? This podcast episode with Sanjeev Verma from PreVeil is just what you need to hear.