Last Updated on October 21, 2020
To give DoD subcontractors a big leg up on CMMC Level 3 compliance, Pivot Point Security CISO and Managing Partner John Verry recorded a special episode of The Virtual CISO Podcast highlighting the six key concerns that SMBs typically must address to achieve CMMC Level 3 certification—including solution advice.
This blog post talks about end-to-end encryption. Don’t neglect to check out our posts detailing the other five key concerns.
- Mobile Device Management
- Multifactor Authentication
- End-to-End Encryption
- Email Spam Protection and Sandboxing
- Logging and Alerting
How to Beat CMMC Level 3’s End-to-End Encryption Requirements
Within the CMMC’s Access Control practice and elsewhere, CMMC Level 3 mandates that all shared files and emails containing CUI need to be encrypted both at rest and in transit. How can SMBs manage this cost-effectively?
“There are an awful lot of places within CMMC where the concept of encryption comes into play,” notes John. “That makes sense because what [NIST] 800-171 and CMMC are trying to do is ensure the confidentiality of Controlled Unclassified Information (CUI)—and encryption is the single most significant way to provide that confidentiality.”
CUI must be encrypted both in transit and at rest to meet CMMC Level 3. This means you’ll need a solution that can encrypt emails and shared files end-to-end. Further, the solution’s cryptographic mechanisms must be FIPS-validated, to ensure it meets the US federal government’s encryption standard.
Unfortunately, the commercial versions of Microsoft 365 and G Suite cannot meet this requirement on their own. John frames two potential options:
- Move to an environment designed for higher-level government usage, such as Microsoft’s GCC High. Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, has written several excellent blog posts on Microsoft’s different email and file sharing environments in relation to CMMC and NIST 800-171 conformance, as well as ITAR [the International Traffic in Arms Regulations] compliance.
- Adopt a solution that works alongside your commercial instance of Microsoft 365 to enable end-to-end encryption, notably PreVeil.
It’s great to have options, but which is right for your business?
One current challenge with moving to GCC High is that Microsoft has thus far authorized only a handful of companies to help SMBs migrate to a GCC High license. Another issue is the consulting fees to migrate (roughly $10,000 to $50,000) plus a doubling to tripling of monthly per-user fees. The benefit of migrating, of course, is a seamless Microsoft environment.
With PreVeil, organizations can continue to use their commercial Microsoft 365 instance, but with a separate Inbox and Sent Items folder for encrypted emails. Encryption of CUI takes place pretty much automatically and transparently, and the solution is quick and cost-effective to roll out. PreVeil actually stores data at rest in Amazon’s AWS GovCloud environment.
“PreVeil is a very interesting software overlay that preexists CMMC,” John explains. “They happened to come up with a very clever answer to a question that CMMC asked.”
PreVeil can be the cheaper option because little or no consulting is required. Also, users that don’t handle CUI don’t need a PreVeil license, whereas Microsoft recommends moving your entire organization to GCC High even if only a few people touch CUI.
“If you happen to have 200 users and only 5 process CUI, then something like PreVeil might be a little bit more interesting. If you’ve got 200 users and all 200 process CUI, it’s probably a little less interesting,” John offers.
For companies that need to pass a CMMC Level 3 compliance audit, this special episode of The Virtual CISO Podcast with John Verry shares valuable insights from the kinds of conversations we’re having with SMB clients and prospects every day.
To listen to this show all the way through, and also access any of our other episodes, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you’ll find all our episodes here.