PreVeil’s recent webinar with our friend Jose Neto of PC Warriors covered how a small defense contractor achieved a near perfect score on a NIST 800-171 DIBCAC audit. The webinar, led by our cofounder Sanjeev Verma, focused on how Dr. Neto was able to advise and lead the defense contractor to their remarkable score and successfully meet 109 out of the 110 NIST controls.
 
Although the webinar lasted almost 90 minutes, there were many questions that our panelists didn’t have time to answer. In this blog, we will look to answer some questions that were posed by multiple audience members.

Question 1: Can I become CMMC L3 compliant using PreVeil as my boundary for CUI?

Definitely, yes. The DoD’s CMMC documentation specifically notes “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) depending upon where the information to be protected is handled and stored.” PreVeil’s security model enables such an enclave approach and facilitates maintaining CUI strictly within PreVeil and the user devices that access PreVeil.

Question 2: Are there sample policies or templates you can share?

PreVeil’s detailed CMMC Level 3 System Security Plan (SSP) template, Policy documentation, Responsibility Matrix and Assessor’s Guide (including updates) are available to all our customers for a small monthly fee.

Question 3: Why would a contractor have less than 6 months to prepare for an audit when the CMMC eco-system is barely up and running?

Most contracting vehicles have a requirement to protect CUI. In the case of this contractor, the contractor was contracted by government and told they would be assessed. They had a few months to prepare and then underwent the assessment.

Question 4: How do I encourage my company to get on board with CMMC and convey the urgency of beginning preparations?

It takes most defense contractors about a year to prepare for a compliance audit. This time represents not just figuring out how to meet the controls but also taking the time to demonstrate maturity to these controls. CMMC preparation is not a test you can cram for. So, if you handle CUI today or expect to handle it through a DoD project in the near future and you want to handle your preparations correctly, you should start now.

Question 5: How can I communicate securely with my upstream military agencies or Primes who do not have PreVeil?

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.

Question 6: Does PreVeil eliminate the need for antivirus and Malware?

PreVeil users should maintain Anti-Virus and Malware capabilities to protect their regular, unencrypted mailboxes. PreVeil’s encrypted mailbox can be protected by PreVeil’s Trusted Community feature that limits sending and receiving of email only to email addresses or company domains that have been approved by Administrators.

Question 7: How do we reduce scope in a federated org like universities?

The key to scoping CMMC is in understanding every device and user that transmits, processes, or stores CUI in the organization. If it is possible to isolate these users and systems, then scope can be reduced accordingly. It is important to note that most commercial email and file systems are not CMMC compliant and must not ‘touch’ CUI at any time. PreVeil provides a separate end-to-end encrypted channel for zero trust communication and data sharing.