Blog

Defense Contractors and CMMC Compliance: 14 Important Questions and Answers

PreVeil had a great webinar last week with our strategic partner Simple Helix. The webinar CMMC Compliance Doesn’t Have to be Scary, focused on helping Primes and subs understand how to develop a pragmatic approach to compliance. With so much anxiety currently around the topic of compliance, the webinar was both timely and instructive.
 
Many questions emerged during the webinar reflecting the concerns of defense companies and IT providers. The top questions are listed and answered below.
 
This list is by no means exhaustive. If you have a question about what you read below, just fill out the form at the bottom of this page and we’ll get back to you.
 

Key Questions

1. Have you had any customers stay on G Suite to be compliant with CMMC?
 
We have known people who have decided to stay with G Suite. Adding PreVeil allows them to do this and still become compliant. It’s a fantastic solution. However, whether or not this will work for you depends on your specific needs.
 
2. Which CMMC Level should we obtain? How do you know which level?
 
This just depends on the type of contracts you intend to pursue. Most contractors will go after level 3 but that doesn’t mean it’s the right level for your business. It’s important to talk with a CMMC Expert, like Simple Helix, to gain guidance on which level to choose.
 
3. To perform an effective gap analysis, does the company need to have completed a self-assessment using NIST 800-171?
 
The true GAP Assessment will have to be done by a Certified Assessor. If you’d like to do a mock GAP Assessment, you can view the CMMC Document at the link here. View the table included near the end of the document and compare your own policies and procedures to it.

 
4. Has a cost been established and published for the actual certification on each level?
 
Unfortunately, the cost of each level is unique to each business. So the short answer is no. You won’t be able to get a clear picture of cost until you talk with GAP Assessors, Implementors, and C3PAOs.
 

The cost of each level [of certification] is unique to each business … You won’t be able to get a clear picture of cost until you talk with GAP Assessors, Implementors, and C3PAOs.

 
5.If I send an encrypted email to a .mil email address through PreVeil, how will my customer in DoD access that message?
 
End-to-End Encryption (E2EE) does rely on the ‘ends’ to handle encryption and decryption. If the recipient is a PreVeil user, even if only on their mobile device, there is no issue. If the recipient cannot install PreVeil on any ‘end’ device, they should use the PreVeil email gateway (Q1 2021) to relay mail to/from their PreVeil E2EE environment.
 
6. How would you define your enclave(s). If I have 1k users and only 100 handle CUI, am I able to somehow have 900 users compliant to L1 and the other 100 to L3? Wouldn’t all L3 controls have to be in place throughout the entire enterprise?
 
You can split between the 100 and 900 users when using PreVeil. If you did GCC High, all 1000 employees would have to meet the CMMC Level 3 Requirements. Some of the controls will cover the entire enterprise but email and file sharing doesn’t have to. Scoping in your SSP is how you would manage the split allocation.
 
7. Can you use SharePoint with PreVeil?
 
PreVeil provides a separate dedicated end to end encrypted (E2EE) cloud service that runs beside your existing services, requiring no changes. In the case of wanting to use both SharePoint and PreVeil in the same environment, no changes are made to the SharePoint systems and they work as before. The PreVeil Drive solution creates a new encrypted folder on your devices for E2EE file sharing and synchronization.
 
8. How do you know if an email contains CUI?
 
Each employee must be trained on the definition of CUI. It is each employee’s responsibility to label the email as CUI.
 

[To know if an email contains CUI], employee(s) must be trained on the definition of CUI. It is each employee’s responsibility to label the email as CUI.

 
9. What are your recommendations for retaining logs and reporting?
 
Simple Helix recommends the LogRhythm SIEM Solution. This is something that we can sell to our clients or manage for them through our SOC services.
 
10. Even at a CMMC Level 1 will I need to have PreVeil or GCC High for encryption?
 
In short, no. The main practices that need to be met in Level 1 are Spam Filtering, Password Encryption, and Antivirus. You can learn more about what is required for each Level and the tools we recommend in the Simple Helix E-Book “Understanding CMMC Compliance”.
 
11. Is there search functionality in the PreVeil Drive solution?
 
PreVeil email can be searched normally if you are using Outlook as a client interface. In the browser interface, you can also search on sender, recipient, group, or message. For Drive, searching in Explorer or Finder works as expected, search in the browser interface is not supported at this time.
 
12. Can you confirm that 3.13.16 requires Data-At-Rest encryption when the data is not mobile but say at a facilities data center that follows a security in-depth approach with multiple levels of access controls?
 
The 3.13.16 practice requires contractors to ensure the confidentiality of CUI at rest is protected. The data must be encrypted at rest regardless of physical location. Simple Helix can recommend policies and procedures to meet this.
 
13. Does PreVeil work in the OWA version of Outlook? Many of our users who handle CUI do not have corporate computers and work only on customer sites/machines.
 
No OWA is not supported due to the local proxy PreVeil uses with Outlook. But these users can use Web PreVeil access from any browser as long as they have PreVeil installed on a mobile device, they can access web.preveil.com from any browser without installing software.
 
14. Which controls would you describe as the ones you see less commonly implemented or more challenging?
 
In Simple Helix’s view, monitoring log files is considered the most challenging. It is a requirement in Levels 3 through 5 with its own varying requirements within each. This practice usually means an employee must sit at a computer to view the logs. If anything happens to the logs, the individual has a designated length of time per Level to react to the situation.
 

To learn more about how PreVeil helps both Primes and defense contractors with CMMC compliance, visit our CMMC Compliance page.
 

Please fill out all of the fields below.