PreVeil’s recent webinar with our friend Jose Neto of PC Warriors covered how a small defense contractor achieved a near perfect score on a NIST 800-171 DIBCAC audit. The webinar, led by our cofounder Sanjeev Verma, focused on how Dr. Neto was able to advise and lead the defense contractor to their remarkable score and successfully meet 109 out of the 110 NIST controls.
Although the webinar lasted almost 90 minutes, there were many questions that our panelists didn’t have time to answer. In this blog, we will look to answer some questions that were posed by multiple audience members.
Definitely, yes. The DoD’s CMMC documentation specifically notes “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) depending upon where the information to be protected is handled and stored.” PreVeil’s security model enables such an enclave approach and facilitates maintaining CUI strictly within PreVeil and the user devices that access PreVeil.
PreVeil’s detailed CMMC Level 3 System Security Plan (SSP) template, Policy documentation, Responsibility Matrix and Assessor’s Guide (including updates) are available to all our customers for a small monthly fee.
Most contracting vehicles have a requirement to protect CUI. In the case of this contractor, the contractor was contracted by government and told they would be assessed. They had a few months to prepare and then underwent the assessment.
It takes most defense contractors about a year to prepare for a compliance audit. This time represents not just figuring out how to meet the controls but also taking the time to demonstrate maturity to these controls. CMMC preparation is not a test you can cram for. So, if you handle CUI today or expect to handle it through a DoD project in the near future and you want to handle your preparations correctly, you should start now.
PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.
PreVeil users should maintain Anti-Virus and Malware capabilities to protect their regular, unencrypted mailboxes. PreVeil’s encrypted mailbox can be protected by PreVeil’s Trusted Community feature that limits sending and receiving of email only to email addresses or company domains that have been approved by Administrators.
The key to scoping CMMC is in understanding every device and user that transmits, processes, or stores CUI in the organization. If it is possible to isolate these users and systems, then scope can be reduced accordingly. It is important to note that most commercial email and file systems are not CMMC compliant and must not ‘touch’ CUI at any time. PreVeil provides a separate end-to-end encrypted channel for zero trust communication and data sharing.