The Economics for CMMC Compliant Email and File Sharing

Last Updated on January 15, 2024

One area of the the new Cybersecurity Maturity Model Certification (CMMC) program that really effects suppliers in the US Defense Industrial Base (DIB): heightened compliance enforcement and a higher compliance “bar” to aim for.
The new CMMC is squarely focused on protecting Controlled Unclassified Information (CUI) in non-federal systems, both at rest and in transit. A major portion of that CUI moves via email and file sharing applications.

Do the most popular cloud-based systems for email and file sharing, like Microsoft Office 365, Google G Suite, Dropbox and Box meet US Department of Defense (DoD) requirements as specified in the NIST 800-171 and CMMC cybersecurity standards?

Well, yes… and no 🙂
If you are on a commercial version of Microsoft Office 365 and need to hit CMMC Level 3 compliance, you need to make some moves. One option is to upgrade to Microsoft GCC High. But is moving to Microsoft’s GCC High the best way for O365 users and others to achieve NIST 800-171 and CMMC compliance?
To get a fresh perspective on this vitally important question that affects many of the DIB’s 300,000+ suppliers, we invited Sanjeev Verma to join a recent episode of The Virtual CISO Podcast. Sanjeev is Chairman and co-founder of PreVeil, a cybersecurity firm with a CMMC-compliant email and file sharing solution that works alongside O365, G Suite, etc.
As Sanjeev points out, one of the biggest cost factors in achieving CMMC compliant email and file sharing is consulting fees. Obviously these vary widely, but they can be pretty steep. Per one of PreVeil’s case studies, it cost a 250-person company with only 50 staff handling CUI about $100,000 to migrate from O365 to GCC High.
Another potential cost concern is that Microsoft recommends migrating your entire organization to GCC High, not just the people who handle CUI. For the business just cited, it cost more than $10,000 more per month for the extra 200 GCC High license fees versus keeping those people on O365.
In comparison, annual PreVeil costs equal the number of users multiplied by $360 per person per year for unlimited email and unlimited storage for CUI. Most customers don’t need to pay any consulting fees, nor is it necessary to license people who don’t need the software.
Another benefit of PreVeil versus a migration to GCC High is time to benefit. According to Sanjeev, most SMBs are up and running on PreVeil in hours to a couple of days max, depending on how much upfront planning they do. Adding PreVeil to an existing email environment also foregoes the ongoing disruption of a “rip and replace” email system move.
One reason the PreVeil solution is less costly than GCC High is it wasn’t originally designed specifically with CMMC compliance in mind, but to improve security for any organization.

What if you’re a vendor and you want to flow down CUI to a supplier or subcontractor? “You can share CUI with a supplier and as a paying customer you can share up to 100GB of information to the supplier and the supplier can join for free,” says Sanjeev.
“The system was inherently designed for virality—to make it easy to communicate,” Sanjeev continues. “But it’s our subsequent hope that if you’re sharing with another company that that company at some point would say I want to be CMMC compliant and if my choices are better with PreVeil they also become a paying customer and now have access to more controls, etc.”
Companies in the DIB that are using cloud services for email and file sharing today but need to comply with CMMC Level 3 and/or NIST 800-171 should take a look at PreVeil. You can listen to the full episode of The Virtual CISO Podcast with Sanjeev Verma here.
If you don’t want to use Apple Podcasts, click here.