Last Updated on June 9, 2021
The Cybersecurity Maturity Model Certification (CMMC) framework groups cybersecurity controls into 17 domains. Each domain defines various capabilities, processes and practices across five maturity levels, from basic to advanced cyber hygiene.
CMMC’s Access Control (AC) domain is among the most significant CMMC domains. It defines 26 practices organized into 4 capabilities covering all 5 maturity levels. These practices include some of the most fundamental cybersecurity controls, like limiting access to authorized users or devices and controlling the flow of Controlled Unclassified Information (CUI), including the use of encryption when storing, processing or transmitting CUI.
Can PreVeil, a cost-effective, end-to-end encryption solution for email and file sharing, help SMBs reduce the challenge of complying with the CMMC Access Control practices? Or quickly improve a NIST 800-171 self-assessment score?
To get concrete details and insights on the benefits of using PreVeil, a recent episode of The Virtual CISO Podcast featured with PreVeil co-founder and CEO Sanjeev Verma. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
Sanjeev explains that PreVeil is not just for exchanging email and files, but also for storing and collaborating on files. Hence it offers a range of access controls.
“In the PreVeil system, if you have a file and I’m collaborating with you, you and I can share that same file; you’ll get my edits, I’ll get your edits, etc.,” Sanjeev states. “More importantly for compliance, I can revoke that access with a right-click. Or give you time-limited access; for example, I can share with you for a three-month relationship, and at the end of it [your access to] the information disappears.”
“When you look at CMMC as an example, there are 17 domains in CMMC, and those 17 domains span 130 controls,” notes Sanjeev. “If you think of CMMC as the peak of Mount Everest, which is 29,000 feet high, NIST 800-171 [compliance] is probably 28,000 feet high. When you simplify it, the essence of these programs is about storing and sharing CUI in a manner that is substantively more secure than the systems that you’re used to. Which means that you’re using encryption a lot, and you’re using sophisticated means to access information.”
“As an example, in the past we were using passwords,” continues Sanjeev. “Those passwords became more complex, and we added 2FA. When you look at these mechanisms for access control, etc. in PreVeil, there are no passwords. You access the system through encryption keys that are stored on your devices, which has two benefits. You can’t guess the key like a password, because the key is like the atoms in the universe. And since the key is tied to your device, you cannot access this system remotely. And the user doesn’t have to do a thing—it just happens auto when you join PreVeil.
“Many listeners may be familiar with the Signal encryption app, and PreVeil functions similarly: you join the system in a matter of minutes, it creates a key that’s tied to your device, and now only you can access your information and no one else. So an attacker that’s remote can’t do so,” Sanjeev points out.
With its system of password-free access using encrypted keys, PreVeil radically improves your secure access to data. It offers rich sharing permissions; e.g., someone can read the data, edit it as well as read it, share it with others, or just view it without the ability to download it. None of this requires the end-user to know anything about the underlying cryptography.
If you’re looking to streamline your company’s CMMC Level 3 or NIST 800-171 compliance efforts, don’t miss this dialog with Sanjeev Verma from PreVeil.