August 11, 2020

Last Updated on January 12, 2024

cmmc email encryption
The tidal wave of Cybersecurity Maturity Model Certification (CMMC) compliance assessments and certifications is coming soon for 300,000+ US Department of Defense (DoD) suppliers and others that work with the US federal government. Heightened enforcement of NIST 800-171 compliance is already here for members of the Defense Industrial Base (DIB).
But with CMMC enforcement not yet in full swing, many subcontractors are still in a “wait and see” mode on how to deal with these new standards.

What does CMMC and/or NIST 800-171 compliance really mean for your business? What do you actually have to do to achieve compliance?

Addressing those questions is the total focus of a recent episode of The Virtual CISO Podcast that features Sanjeev Verma, Chairman and co-founder of PreVeil, a cybersecurity startup that offers a CMMC-compliant email and file sharing solution.
According to Sanjeev, the NIST 800-171 and CMMC requirements mandate multiple encryption levels for CUI, storing it in compliant facilities (e.g., where it can only be accessed by US citizens), ensuring it is available for forensics, and more.
“From a practical perspective what it means for CMMC is two of the go-to systems that people have in the cloud, which are Office 365 and G Suite—both are ineligible systems,” Sanjeev underscores. “If I’m running my own Exchange server and am reasonably sophisticated and have a decent IT/information security team I should be able to make that compliant, but it’s a bunch of work.”
But managing email on-premises is not affordable for many of the 300,000 DIB suppliers, perhaps 90% of which have less than 1,000 employees.

So what about a move to GCC High, Microsoft’s cloud for DoD and other federal contractors that need to comply with NIST 800-171 and/or CMMC? While it is a step towards NIST 800-171 and CMMC compliance, that option can also be onerously time-consuming and expensive.

As Sanjeev explains, these are the basic migration steps Microsoft recommends:

  • The first step is to receive validation from Microsoft that you are eligible to move to GCC High.
  • Next, connect with a GCC High reseller (there are currently less than 10) to setup a consulting agreement to replace Office 365 with GCC High.
  • Even for smaller organizations, the time period for the migration is generally 4-6 months and costs a minimum of approximately $25,000 up to $100,000 depending on company size and other factors.
  • To avoid technical problems, the strongly recommended approach is to move the entire organization to GCC High, not just the subset of staff dealing with CUI. This significantly increases the per-user monthly licensing fees, which are more than double the cost per user for GCC High (from about $30/user/month to closer to $90/user/month in most cases).

Sanjeev cites a current PreVeil client that is a 250-person small manufacturer with just 50 people handling CUI. They had to move all 250 people to GCC High, at a cost of $50,000 in consulting fees plus much higher ongoing licensing fees.
“When you look at a migration [from Office 365 to GCC High] it starts to add up and becomes a pretty serious dent,” Sanjeev understates.
Fortunately for SMBs in the DIB, other options have recently opened up. The US State Department issued an interim “carve-out” ruling in December 2019 that became permanent in March 2020, which says that you can use commercial cloud services to store and transit ITAR data (and, by extension, CUI), provided the information is encrypted end-to-end and the encryption keys are never accessible to the cloud provider.
To find out more on how to bring your email and file sharing systems into compliance with CMMC and NIST 800-171, you can listen to the full episode of The Virtual CISO Podcast with Sanjeev Verma here.
If you don’t use Apple Podcasts, click here.