Episode 145: “CMMC: The Final Rule” With Sanjeev Verma

December 4, 2024

Summary

In this episode of the Virtual See-So Podcast, host John Verry speaks with Sanjeev Verma, chairman and co-founder of Prevail, about the intricacies of CMMC compliance and the importance of cybersecurity. They discuss:

The delays in CMMC implementation, key elements of the new regulation, and the importance of being prepared for compliance.
The complexities of compliance with CMMC regulations, the importance of documentation, and the implications of using cloud services and VDI.
They emphasize that compliance is an ongoing process requiring annual affirmation and that organizations must be proactive in their cybersecurity measures. T
They highlight the necessity of flow down requirements and the role of encryption in protecting sensitive data.

Sanjeev Verma biography:

Sanjeev Verma is the Chairman and Co-Founder of PreVeil, the leading provider of end-to-end encrypted email, file-sharing, and documentation solutions tailored for Small and Medium Enterprises pursuing CMMC, DFARS, and ITAR compliance. PreVeil serves over 1,500 defense contractors and higher education institutions. Previously, Sanjeev co-founded Airvana, where he grew the company from startup to a global leader in CDMA 3G wireless data infrastructure, reaching over $500 million in annual sales as a publicly traded company. He holds an MBA from MIT Sloan, an MS in Electrical Engineering from the University of Rhode Island, and a BE in Electrical Engineering from Delhi College of Engineering.

John Verry (00:00)
You look good, sound sounds good. My sound sounds good to you, you know? Cool. All right, then let’s kick this bad boy off. Hey there, and welcome to yet another episode of the Virtual See-So Podcast. And with you is always your host, John Verry. And with me today is somebody who I haven’t spoken with on the podcast in quite a while. looked it up, Sanjeev Verma. Hey, Sanjeev.

Sanjeev Verma (00:04)
Absolutely.

Hey John, how are you? Pleasure to be here.

John Verry (00:25)
I ask it’s good to have you back good to have you back and I’ll cover that in a second. I you know I always like to start simple tell us a little bit about who you are and what is it that you do every day.

Sanjeev Verma (00:35)
Well, I’m chairman and co-founder of a company called Prevale, P-R-E-V-E-I-L, and we are providers of an end-to-end encrypted email and file sharing system along with documentation that helps in defense contractors, healthcare companies and others, but specifically defense contractors comply with CMMC and ITAR and the FORES regulations. think we’re…

even though a small company, probably the largest provider of CMMC and NIST compliance services to the SMBs. We’ve now, since we last spoke, 1,500 additional customers. But at heart, we are a cybersecurity company first and a company that uses its strong heritage of cybersecurity to really make compliance simpler, cheaper.

and easier for small and medium businesses.

John Verry (01:35)
Good, and for the record for anyone listening, we’re fans of the Prevail solution. We have recommended it to a number of clients and they are all happy and feel like it does what they thought it was gonna do, which is really all you want. Last time we chatted, I always ask, what’s your drink of choice? Last time I know we got into a very interesting conversation about wine, I don’t remember it all, but I do remember that there was a particular wine that you told me about that I hadn’t known before and you promised to send a bottle and you never did. So that’s really the prevailing memory of our last call.

Sanjeev Verma (02:02)
Uh-huh.

So we need to find out what that bottle is and then.

John Verry (02:05)
I don’t know, but it was very expensive. That’s what I remember clearly. So are you still drinking a lot of wine?

Sanjeev Verma (02:15)
I do, but I’m going to talk more in this segment about my other interest, is I’m going to talk about green tea today. Yeah. So I happen to enjoy and start my morning off with green tea. a huge fan of Japan. so over the years have developed a kind of a reverence for not only the tea, but

the way it’s consumed, the thoughtful and mindful way in which the Japanese have made it a part of attentive consumption. And so let’s talk a little bit about my otherwise, which is green tea.

John Verry (02:58)
So matcha, jikkuro, sencha, what’s your, know, because there are some great, mean, green tea is such, I mean, when you get into green tea, are literally, I don’t know, certainly many dozens of alternatives.

Sanjeev Verma (03:10)
Yep.

Yeah, three. I’ll talk of three that are the most common. the first is Sencha, which is like an everyday, you know, green tea. And the second is what you were referring to as Gyokuro. Sencha is hotter. It’s more everyday. Gyokuro is consumed more at, you know, 50 to 60 degree temperatures. It’s cooler, sweeter slightly and

in smaller quantities. And then people are familiar, I think, a little bit more with matcha, which is the whipped powder green tea. And it’s what’s most closely associated with the tea ceremony in Japan. And so I kind of enjoy Sencha on a daily basis and matcha as a specialty. And what’s been an interesting thing for me is that

The preparation of these things requires precision. And I’m particularly fond of boiling the water in a cast iron tea kettle, which the Japanese called a tetsubin. And a fun fact about that is that I got on a mailing list to get a tetsubin from a Japanese craftsperson called Suzuki Morihisa, 15th generation crafters of this tea.

cattle, all it does is just boil water. John, it took me three years to get that cattle. That’s how long it takes for you to get it. But it’s an exquisite piece of art, very, very simple, beautiful and perfect in what it does. And I start my morning with a Sencha brood in my titsubin.

John Verry (04:58)
I have a Japanese friend who is very into it the same way and has probably the same, and I won’t dare say what they cost because I know what he spent on his, but they’re amazing. Yeah, it is. It’s a piece of art, and it is. It’s almost in a weird way, almost an experience, a religious experience to do it. know what mean? Hold on one second before you answer that. Let me grab this real quick.

Sanjeev Verma (05:09)
I agree. I’m gonna see what happens.

Europe.

Ahem.

John Verry (08:10)
Thank sir. And thank you. Can hear me? Okay, good. And thanks to whoever’s editing this. I apologize. So let me, so we are still recording. Go ahead.

Sanjeev Verma (08:14)
Yeah, I can hear you.

No worries. So, yeah, so yes, I absolutely agree. think it’s I’ll call it akin to a spiritual experience. And there are two aspects of it that appeal to me. One is that one pays attention and too often in our lives, we’re not paying attention to each other and to the things that we’re consuming and interacting with. And so the act of

having the tea in the way in which the Japanese do makes me be attentive to things. And the second aspect of it, which I enjoy again starting my morning with, with this 14th generation cast iron teapot and it embodies excellence. It embodies an extreme simplicity and refinement and excellence. And I think those two attributes

set the tone for the day for being attentive and for pursuing in every little way that I can and every little way that we can as a company the spirit of getting better and the pursuit of excellence.

John Verry (09:34)
Yeah, I’m not gonna, and we won’t talk anymore about tea, but I’m gonna, I’m not gonna get mad at you for telling me that I’ve been mispronouncing Jikkuro and drinking at the wrong temperature.

Sanjeev Verma (09:44)
Well, I will say one thing as we move on. You’re in New York City and actually you’re blessed to have the finest Japanese tea purveyors. It’s called Ippodo tree tea and it’s in Midtown and they are Japan’s, I think, finest tea purveyor and that’s where I first got introduced to it in Kyoto. And then I’m so delighted that now it’s in New York and when I’m there I often go and

have a cup over there, but I certainly order online from iPodo. It’s I-P-P-O-D-O-T in New York City.

John Verry (10:22)
Hopefully there’ll be a sponsor soon. So, you know, I was amazed. look back. I mean, we spoke in January of 2020. So if I had told you in January of 2020, when we were talking about CMMC that we would have a podcast on November 1st, 2024, and it still would not be in effect, would you believed it?

Sanjeev Verma (10:30)
Mmm.

Part of me says that no, but part of me says yes, because I have grown to be a huge fan of government. And so I expect government to take extraordinary amounts of time. And so nothing, when it comes to the government, surprises me. But I kind of, actually, my slight sarcasm apart, sort of look at it as a little bit of a blessing.

And here’s why. I do think that had things moved faster, that the time it took has actually been beneficial for the perversive solutions to refine things, to understand it, and to prepare for getting large numbers of companies that actually don’t understand what they’re getting into at all, to get them familiar with it. Because

If it had just come out and been the law, we would have seen massive failures, you know, because the providers weren’t ready, the adopters weren’t quite ready for a pretty sophisticated standard. So in hindsight, that while I’m not a huge fan of the long delays, I do think that in this particular case, it probably serves a good purpose in getting people methodically, you know, ready for this journey, which is going to be

Not an easy journey.

John Verry (12:12)
Agreed. So it’s been a crazy five plus years at this point since we’ve really been talking about CMMC. So final rule October 15th published, you know, goes into effect on December 16th. It’s 400 pages long, so I’m going to assume the vast majority of the folks who are listening to this or who have listened to this have not read the entire thing, as most of us haven’t. So what I’m hoping we can do today is just go over what I’m going to call the most important elements of that rule.

Sanjeev Verma (12:25)
Yes?

John Verry (12:42)
and give people sort of the cliff notes, if you will.

Sanjeev Verma (12:48)
Happy to do that. We have certainly had people, I will admit, I haven’t myself read it, but teams within Prevail have read every single page of those 400. So let’s get into it.

John Verry (13:00)
Cool. Where do you want to start? What would you say is the most significant element to discuss first?

Sanjeev Verma (13:06)
So I think let’s go into the Cliff Notes version of it. The first thing I would say is let’s start with the fact that I don’t think that there are very many changes that are surprises. So the fundamentals remain the same as what everybody was expecting, which is that it requires companies that hold control on classified information. And I should start by saying, I’m going to focus my discussions at level two.

and companies that are handling CUI. We will not address very much about level one and level three. So if you’re at level two, you’re a company that has DFAR 7012 clause in a current contract, you handle CUI. And so the rule reaffirms and says, you’ve got to implement the 110 controls of NIST 800171. And for the most part, with very few exceptions, you have to get a third party assessment from what’s called a C3PAO.

a CMMC third party assessment organization to basically certify that you meet those obligations. And that’s what’s going to be increasingly required for you to be eligible to bid on defense contracts. So that was the first element of the regulation. The second element of the regulation was that it specified that there is going to be a four year

phased rollout. So as you mentioned, the regulation goes into effect on December 16th of 2024, this year. And what that means is that assessments can begin on December 16th by C3PAOs. But there is a parallel regulation called CFR 48 that is still in the works. Its comment period has ended.

And that CFR 48 is actually what allows the DOD to insert CMMC as a requirement in future defense contracts. That is expected to be the law sometime middle of next year. So when do you expect to see it in contracts? Middle of next year. So with that, what’s this four phase rollout? So phase one is going to be call it middle of next year to 2026. And in that, they will be

select contracts that will require CMMC. That’s when the program kind of gets going. And there may be some room for self-assessments to be accepted. But since there’ll be CMMC assessments going on starting December 16th, you will start to see a few contracts and primes will start to say, listen,

if I’m putting a bid together for one of those contracts and we don’t know what those contracts will be, it will start separating the folks in the defense industrial base from those that have prepared and are ready for compliance versus not. So that’s phase one.

John Verry (16:15)
Yeah, and the primes are already starting to tell people like, look, we want you to get certified early on in the process. Even if it’s not a requirement of the contract, we feel that it makes our team a stronger team to be able to demonstrate that everyone has their CMMC employees.

Sanjeev Verma (16:29)
And that’s a very critical point because when I speak to these four phases, people may grossly misunderstand that, first year, a few contracts, and in the second phase, as I’m going to say shortly, more contracts. So that means I’ve got a lot of time to do so. And that’s completely wrong because the government’s perspective is, you were required to fulfill DFAR 712, which means you were required to have NIST 800.

71 protections for the past several years.

John Verry (17:01)
Yes, since 2017. I mean, this is seven years, right? So this is not a new requirement. And anyone who says, hey, this is crazy. You’re putting all these new requirements on us. We’re not putting any new requirements on you. In fact, if you tell me they’re new to you, that means that any contract, any invoice that you’ve sent is subject to the False Claims Act. Because every invoice says we are compliant.

Sanjeev Verma (17:05)
seven years.

tips.

Absolutely. so the first part of it is that you were supposed to be compliant with those regulations. And all CMMC is saying is, I’m not going to just take your word for it. I’m going to have assessor assess that. And what you correctly pointed out is if you’re a prime and saying, I’m going to go put a bid together, two things drive their thinking. Number one, they don’t know what contract could ask for CMMC.

and therefore they have to be prepared to bid on any contract. And second, you’re a supplier to them, you don’t know which supplier is going to be required for which contract. And so if you’re a supplier, unless you’re prescient and you know, I know exactly which contracts or that you’ve decided to sit it out, then you have to be prepared, even though you may not be certified, but you got to be prepared because then you can tell the prime, look, I got

I’m ready and as soon as the contract comes, we’re ready to go. So the phase one, while it will have less number of contracts from the perspective of a Dibb company, you got to be ready right now. And if you haven’t started, as you John correctly pointed out, A, you’re subject to false claims acts right now, B, better get started unless you’re saying, look, I’m getting out of this thing or I have decided not to bid on this.

So that’s.

John Verry (18:52)
Yeah, on that new contract thing, I also heard an interesting perspective from a prime member speaking with, they said even if the contract doesn’t require it now, we know that as rollout goes on that it might require it on refresh. So a year in, let’s say they want to renew the contract, at that point the clause might be in place and they don’t want to partner up with somebody that becomes integral to the program and then has to be removed from the program because they haven’t achieved CMMC.

Sanjeev Verma (19:20)
Very critical. And so that’s the other part, which is you correctly point out that, if you have an existing contract, they could convert that into requirement for CMMC. So bottom line is you have to be prepared right now. There is no skidoodling out of this thing. And there’s a difference between being prepared, which means ready for assessment and

actually getting assessed and it may very well be that you get assessed in 2026 or whatever but let’s say that you know A a prime calls on you you say look I’m ready here’s my documentation here’s my self-assessment and if you want to bid we’ll immediately go in for an assessment or if you don’t have to wait till 2026 but I want to draw the distinction between being ready is absolute criticality

And then when you get assessed, could be in 2026, seven, because then those subsequent phases come in. And the phases really are in 2026 is phase two. More contracts are going to have CMMC clause in there. 2027, level three, which has even more requirements, will apply to a subset of the biggest primes. But more contracts will require even more. And then in phase four, all contracts.

more or less will require CMMC. So that’s the second aspect of what the regulation said for phase rollout. Yeah.

John Verry (20:52)
Quick question for you. On the CFR 48, do we know, is that restricted to just DOD or NARA classifies 20 or so groupings of CUI of which defense information is one, right? So financial, law enforcement data, things of that nature also could say to CUI.

Sanjeev Verma (20:57)
you

John Verry (21:17)
Does this vehicle open up the idea that we’re going to start, because we’re seeing it in like universities right now, like a lot of universities that are processing CUI as part of their research are being pushed to 8171 and they’re even going to CMMC already. Do you think that this contract vehicle that is being put in place has the ability to immediately be leveraged by other agencies to protect their CUI?

Sanjeev Verma (21:40)
Great question. So CFR 48, as I understand it, specifically applies to DFARs, Defense Acquisitions. Universities are obviously included because they get their beneficiaries of DOD funding and so CUI and CMMC applies to them. However, what you’re referring to is also happening because education is now going to require more and more that say student financial aid data is considered CUI.

John Verry (21:48)
Okay.

Hmm.

Sanjeev Verma (22:10)
PII is considered CUI. And CUI is a federal-wide mandate. And so you’re going to see similar regulations where DO, Department of Education, will start asking for it. And coincidentally, just this month, they’re going to start the notice of proposed rulemaking for them to classify student financial aid data as CUI. So bottom line is it applies to education as part of DFARS.

John Verry (22:12)
Mm-hmm.

Sanjeev Verma (22:38)
But it’s a federal wide mandate and more and more folks are going to be coming in. And we are pleased actually that one of the first educational institutions that got through the CMMC thing was our customer. It’s Virginia Tech Advanced Research Center. They just finished the Joint Surveillance CMMC program and came through with flying colors. so stay tuned for more on that. So that’s the CFR 48.

John Verry (22:42)
Okay.

Sanjeev Verma (23:08)
The third thing I think that your viewers may want to understand is what does compliant and CMMC level two certified mean? And the answer is a minimum score of 88. And so what is this 88? So even though there are 110 controls, you can be CMMC certified with an 88 score at level two, provided it meets a few things.

Number one, none of those 88 will be things that are one pointers, mean, two pointers or more. In other words, if you have a control, it has points associated with it. It could be one, two, or more. No control that has two or three points can be something that you can poem. In other words, have a program of action and milestones. So you must meet all the two and three point controls.

John Verry (23:42)
you

Sanjeev Verma (24:09)
and they count towards your 88, but it does allow you to have a program of action and milestones in 180-day period to defer meeting some of those one-point controls. So it gives you the latitude to be compliant with an 88. You can finish the rest of those in 180 days, but I want to reemphasize those 88 points, those controls cannot be two- and three-point controls.

So there is some flexibility, but the magic number is 88. So that’s what the rule clarified. And then it went into clarifying other things about if you’re using a managed service provider as an example.

John Verry (24:56)
This is a big one, Yep.

Sanjeev Verma (24:58)
Okay, so let’s talk a little bit about that. So if you’re a managed service provider, you do not necessarily have to be yourself certified at CMMC level two. The regulation clarifies that. But there is a however. So first, let’s talk in general terms about what a managed service provider could do for you. You know, they could be managing your computers, they could be running

a SIM, they could be providing you antivirus, and a whole slew of capabilities that are pretty useful for you to become CMMC compliant. So the managed service provider doesn’t have to have their CMMC level 2 certification themselves. However, the external service provider, ESP, of which MSPs are one category,

will be part of your CMMC compliance boundary if you are an organization seeking CMMC certification. So let’s say I was using John, your firm, to help me and you were an external service provider. I don’t need to ask you to be CMMC level two certified, but you’re gonna be part of my assessment. So you will have to have the 800 171 controls for the services that you’re providing.

and now you’re part of my assessment. So it has two implications for the service provider. Let’s say you got a few defense customers, one or two, fine, you you implement the controls, you be part of the customer’s assessment and you’re okay. But if you’ve got a lot more defense customers, then you’re actually better off being CMMC Level 2 certified yourself.

Because otherwise you’re going to be part of every single assessment. You’ve got to sit through the assessment and it’s a royal pain. Whereas if you say, I’m level two certified myself, it’s game over, you can provide the services. And so again, it’s a way by which managed service providers or external service providers can differentiate themselves. But the rule did give, again, the flexibility that you do not yourselves need to be a CMMC level two certified.

John Verry (26:49)
Thank

So let’s talk a little bit deeper about that with the MSP and what, so to me, I think if you look at the same MC scoping guide, right? And you look at the, some of the stuff’s obvious, what’s a CUI asset, right? Some of the stuff’s a little more fuzzy. What’s a security protection asset? What’s a contractor risk management asset? And I think they tie into this subject we’re talking about. So let’s say that someone is hosting

Sanjeev Verma (27:19)
Thank

John Verry (27:46)
So I’m working with an MSP and we’re doing backups to their cloud. Now that backup, let’s say it has CUI. Okay, so that becomes part of my scope, right? That becomes part of my CMMC scope. So what’s gonna happen is during the audit, I need to validate or the auditor needs to validate that the ESP is protecting.

the relevant controls out of 171 that apply to that, what now becomes a CUI asset, right? That’s gonna be the obligation of the auditor and the obligation of the entity that’s outsourcing to that ESP to validate, correct?

Sanjeev Verma (28:27)
Correct. So I think I want to step back. always like to start simply and there will always be kind of corner cases, et cetera. Let’s start with where things are clear. There’s a CUI asset. And what is a CUI asset? If you are storing, sharing, processing CUI, using some technology to do that, that’s a CUI asset. And at Prevail, we store, process, and share CUI, though

John Verry (28:47)
Mm-hmm.

Sanjeev Verma (28:56)
If we do it fully into an encrypted, so in a sense, we don’t actually see it. But since we are involved with the storage and sharing, the regulations say that if you’re using a cloud service, it has to be FedRAMP moderate equivalent or have an ATO. It’s very clear. And the regulations for what equivalent is are defined by the DoD. All of that is super clear. Now comes the next level of what’s a security protection asset. So let’s say you’re a managed service provider.

And you’re providing a service like antivirus or something that is not storing, processing, or sharing CUI, but is actually being used to protect the technology as an example that is storing, processing, and sharing CUI. So that’s the difference. So it’s a security protection asset. It doesn’t need to be FedRAMP moderate equivalent. It doesn’t need to have an ATO that was clarified by that.

CUI, very clear. Security protection asset is an asset that’s protecting the CUI, store, share, and protect technology. Then comes these kind of contractor risk assets, are, it’s not really expected to ever store and share CUI, et cetera, but could accidentally or for some reason,

touch CUI. And so they clarified that look, if it does something like that, then you should have an NIST 800 171 control over it. And then the final thing that the regulations, I believe, have clarified is that if you have these things called specialized, you know, OTs or specialized assets, think of IOTs. And they basically said, look, just list those things. They don’t really need to be, you know, adhering to NIST 800 171.

Now, will there be some gray areas over here? Absolutely. But it does clarify and say, look, if you’re storing processing CUI, here’s what applies to you. If you are a security protection asset, here’s what applies to you if you’re a contractor risk asset.

John Verry (31:11)
But let’s put that a couple of simple examples to pass that test, because I think it does get fuzzy relatively fast. So again, to the someone is storing, my MSP is storing backups in their cloud, in their environment. Is that considered? So we’d argue that’s CUI asset. By definition, are they a CSP at that point? Because they’re not from a NIST 800-145.

Sanjeev Verma (31:13)
Yeah.

John Verry (31:37)
perspective, right, which is the government’s definition of a cloud service. They’re not a cloud service. So are they a cloud service or not at that point?

Sanjeev Verma (31:41)
Yeah, know, guess, look, I’m speculating. I cannot opine on it as a definitive authority, I will. Yeah. But I would say that I think that they would take the position that if it’s a backup, you know, in essence, you’re not a cloud service provider. That’s the right way to look at it. But I think that a pragmatic way to kind of deal with it would be to say, hey, listen, you know,

John Verry (31:50)
Okay, we have to wait and see.

Sanjeev Verma (32:11)
the backup is an encrypted backup, you know, so we don’t see it and that kind of helps you make the further case that it’s not really, you know, doing so. But time will test these kind of.

John Verry (32:25)
Okay, all right. Another use case, right? What if we’ve got an MSP? They’re just providing break fix on site, logging into our systems and things of that nature, but they’re not taking any of our data. So they have administrative access. At that point, they’re an ESP. They’re within our scope. I’m curious what you think, what controls would apply to them.

human resource controls, physical, like do we know how we’re gonna define what controls are relevant to that use case?

Sanjeev Verma (32:59)
You know, again, this gets into those very specific things about how exactly they’re doing. I would think that some of these access controls will probably apply to them. But I think that careful design of your CMMC program to kind of minimize the exposure and minimize the access that they have is

what I would say is the prudent thing to do. So try to limit it, if you’re an external provider, to the bare minimum, as opposed to trying to argue, I got access to everything and now I’m having some kind of legalistic argument that says the regulation shouldn’t apply to me. That’s kind of common sensical advice that I would offer.

John Verry (33:29)
Absolutely.

Gotcha. And then did you interpret the specialized asset guidance as being that the OT, so the shop floor, you will, CNC systems, things of that nature, that CMMC is not yet applicable to them. They’re gonna be within the SSP, but the 110 controls, because they would be difficult considering the construct of those controls are right for now that they’re not in scope. I mean, they’re in scope, but they’re not.

Sanjeev Verma (34:02)
That’s our, yeah.

Very difficult. Yeah.

John Verry (34:16)
the CUI, the 171 controls are not going to be assessed against them. Okay.

Sanjeev Verma (34:21)
That is our understanding but as our team tells us, list them. That’s it. You say, hey, these are specialized assets and I’ve listed them and off you go.

John Verry (34:35)
Gotcha. So one of the other things which was interesting to me, I’m curious as to what you think the impact’s gonna be and how people are gonna deal with it is the annual affirmation of compliance.

Sanjeev Verma (34:47)
So great question. what I say is, number one, understand that compliance is not a one and done thing. Many people think, OK, it’s some kind of a certificate. I’ll do whatever scramble I got to do. I get the certificate. I’ll put it in some file and then waive the certificate. It’s not like a driver’s license that you get and then it’s valid for three years.

whatever time it is and you can flash the driver’s license and get along with it. The requirement is that an executive, a senior executive of your firm has to annually affirm that you’re abiding by the compliance requirements, that your systems are up to date. They continue to meet it. It wasn’t that you met it on picking a date, January 1 of 2025, and since then nothing has happened.

In a practical way, what I suggest over there is, number one, keep your documentation up to date. And at Prevail, this is one area that we actually help a lot with. So we found very quickly that not only do we need to go and protect CUI with our end-to-end encrypted email and file sharing, but we also now provide very thorough and very extensive documentation to our customers.

on how the control is met and how they should meet their part of the controls, et cetera. So it saves a lot of money, but it also helps them meet this ongoing obligation because we are providing them the docs, we’re updating them. They can basically go and then say, look, here’s our docs, they’re up to date. We can now based on what the vendor’s providing us plus our internal processes, et cetera, use them as an objective means

to say, can affirm that I am compliant. So if you’re a CEO, that’s a much better way for you with objective evidence and updated docs versus again trying to wing it and say, okay, I got it at that time. Now I signed something. But if they poke a hole in there and saying, well, what about this control? Did you update it? Did you do X with it? Has your process been updated? And you say, oops, I don’t have any.

process with. So we look for ways to simplify it for our customers and the way we’re doing the affirmation requirement is by saying look here’s the documentation we’ll keep it up to date and it makes it a lot easier for you to affirm it.

John Verry (37:32)
Yeah, wonder if it’s going to, so one of the byproducts of Sarbanes-Oxley 404, which has similar requirements, Someone in senior management needs to sign off on the controls of a financial reporting. That has launched a cottage industry worth hundreds of millions, maybe billions of dollars, right? Because no one wants to sign off on something without some evidence of, right?

of how a basis for their opinion, guess is the way I would say it. So I wonder if we’re going to see again the same hesitancy by senior management to sign off risk false claims act type activities and hey, I should have a third party come in and then I can sign off. My affirmation is based on, hey, I hired a qualified third party to validate this. That’s the basis for my opinion. And in the event that something goes wrong, that they would at that point,

Sanjeev Verma (38:03)
Exactly.

John Verry (38:29)
they wouldn’t be quote unquote held liable in anyway, right? Because they had a valid basis for their opinion.

Sanjeev Verma (38:34)
So I think that’s fair and I think organizations are going to fall into a couple of categories. I can see a larger organization being a customer of the quarter industry that you refer to, which may very well be, look, if you’re helping a company get compliant, you can offer them a service that says, for a couple thousand or whatever, maybe a little bit more. You’ll go the next year, you’ll go and take a look at the docs and you say, looked at it, it looks fine, executive, you can sign.

In there, you have, as your objective evidence, prevails updated documentation. Because we are proactive with it, we’re going to go provide you with documentation. And we touched like 102 controls out of the 110. So we’ll say, here’s the updated doc. And so in your case, you can use that. There may be a second category of smaller companies that, you know,

probably don’t want to hire people to kind of do that. And in that case, again, we say, hey, here’s the objective evidence from the vendor, et cetera. And you can use that as a basis for you to kind of do that. But under no circumstances should you ignore and say, I have no objective basis to sign this thing. And I’m kind of winging it. In that case, you are taking legal and undue business risk.

John Verry (39:58)
Yeah, you the one thing you keep referring to documentation, let’s just make sure in my humble opinion, documentation is not only policy procedure standard type stuff, but it’s also gonna be the operational artifacts to evidence the fact that these things take place. So if we’re saying you’re doing user account management reviews, it’s not the fact you have a policy that says that, it’s the fact that you have a policy, the policy dictates X, Y, and Z, and we have artifacts to illustrate that the policy is being adhered to.

Sanjeev Verma (39:58)
And this.

Yes.

John Verry (40:27)
to x, z. Good.

Sanjeev Verma (40:28)
you’re absolutely correct. And so when we say that we provide documentation, documentation falls in various categories. So you look at the prevailed documentation, it’ll say, look, off these 110 controls, 38, I’m picking a number, you’re inheriting full from us. And so now when you look at our documentation for next year, you’ll have affirmation that for those blocks of controls, Prevail is saying, yep, it’s up to date, et cetera.

John Verry (40:45)
Mm-hmm. Mm-hmm.

I gotcha.

Sanjeev Verma (40:56)
The second block is where we’re saying there’s a shared responsibility. You’re inheriting some controls from us. You have certain responsibilities. And it may be that one of those alludes to the kind of thing that you referred to, which is, hey, I have a policy that somebody reviews X control on a monthly basis. And therefore, that artifact is provided associated with that. And on the prevailed part, for example, if there are artifacts on, you know,

as an example, hey, do you have FIPS encryption? We are updating you. Here’s our newest certificate and so forth. So you’re absolutely right that the objective right way to go and affirm that is both through us making it easier for you with what we provide and for you to then also be mindful that here’s the artifacts that I need to provide and actually do that. Because when you do that, life becomes easier.

And I go back to the point that we started with, which is don’t try to play with fire by saying, I’m just going to go sign a piece of paper over here because I got my driver’s license three years ago and I have done nothing associated with it. That is definitely not what is advisable. And again, the regulations are clear. The CMMC thing says it requires annual reaffirmation.

John Verry (42:19)
So one of the things which I found problematic, if you will, about the original CMMC standard was that there was no specific flow down requirement within the standard. It existed just in the default 7012 clause. So, you know, did they correct, you know, so does the flow down requirement of CMMC happen still through the same default 7012 clause or?

Sanjeev Verma (42:23)
Mm-hmm.

John Verry (42:49)
Are they doing it now within the actual CMMC framework itself?

Sanjeev Verma (42:53)
good question. I don’t know.

John Verry (42:57)
Because technically there was this whole thing where the C3PAO was just assessing you against CMMC, not the DFARS clauses. And there’s an incident reporting requirement within DFARS that doesn’t exist within CMMC. So I was curious if they rectified that. I felt like it was a gap in their implementation.

Sanjeev Verma (43:06)
That is exactly correct.

I don’t know and so you’re absolutely correct that today if you do a C3PO assessment, the assessment for say FedRAMP equivalence, etc. That’s the DFAR, SPAR, the incident reporting requirements, etc. They do come and DIPGAC actually does that on at least the GSBA assessments. From a simple perspective, I will say this. I’ll take a look and see if CMMC has addressed that.

But it is a given that for any organization that’s listening in, flow down is essential. So in other words, whether it’s DFARS or CMMC, if you basically got a CMMC contract and you’ve got three sub suppliers in there, that CMMC obligation does apply to them. You’ve got to go pass that along to them and to their suppliers. There’s no question about that.

John Verry (44:09)
Yeah, one way or the other. not that this is the definitive answer, but ChatGPD seems to think it’s actually both in DFARs and the CMMC now. So.

Sanjeev Verma (44:17)
Absolutely. The flow down, I was just not clear about the C through G parts, but the flow. Yeah.

John Verry (44:24)
Yeah, I’m not sure. I’m not sure either. That’s why I asked and you know, it’s I’m sure it’s in the 400 pages. I just haven’t gotten to it.

Sanjeev Verma (44:30)
But what I do know is that CMMC absolutely requires you to flow it down. That’s exactly why when you have a contractor and you’re bidding on a prime contract and you say, I’ve got 35 suppliers and they have 14 suppliers and they’re part of my bid, the CMMC regulation and requirement will apply to those 35 and to the subcontractors that are part of the bid. There’s no ambiguity about that. The rule is very clear about that.

John Verry (44:59)
Right, and to that end, one of the which I thought was very interesting as well was specifically them addressing VDI in the guidance because the supply chain component I think is the scary part of this regulation. Because you might talk to a machine shop that’s creating nozzles for military and

Sanjeev Verma (45:06)
Mm-hmm.

John Verry (45:26)
they might have two or three subcontractors that are even smaller little places that are going to struggle to hit it to become fully, CMMC compliant. So how do you create an enclave that allows them to get to the data that they need to service you, but doesn’t necessitate them becoming fully CMMC compliant. And it seemed to me like the idea behind this VDI or perhaps the prevail,

What do call it? One drive, shared drive. I forget what you guys call your prevail drive capability. So am I correct in the assumption that under this VDI and the drive under the same concept that the machines that they’re accessing that from the VDI through are not subject, they’re not store processing or transiting CUI under that clarification.

Sanjeev Verma (45:58)
Thanks a lot.

So I think that’s a great question, and I’m going to go and answer that step by step. So number one, the VDI, which is a virtual desktop environment issue, was clarified in the new rules. But I want to go very methodically with what we understand it has done.

A VDI is an environment that’s typically in the cloud and you use your computer to log in into that environment and access the information. So the regulation says that your VDI environment absolutely must meet CMMC NIST 800 171 requirements. The controls have to apply to it. It needs to meet those things, et cetera.

The second part of it is you are an entity, it’s an organization, you’ve got a computer and you’re using that computer to log in into that VDI. So you’re having keystrokes and video and mouse and so forth. That computer which you are using to log in into the VDI is out of scope. Okay, that’s very clear.

But it should not be interpreted as saying, let’s say, John, you were a supplier to me, and you were using a VDI environment. And I said, look, here’s my VDI. You log in. So yes, your computer that you’re using to log in, et cetera, is out of scope. But you are still part of the assessment boundary from the perspective that you’ve got the right people that are accessing it, the right controls that apply to it.

It simply says that the specific computer that you’re using is not part of the assessment boundary. So that’s, I can’t hear you.

John Verry (48:25)
Sorry, I muted because I was coughing. So I guess we could assume then that, let’s say, human resource, screening, security awareness, education controls relating to the entity, but the individual that might be accessing it. It’ll be interesting physical security, access control, right? Because we still, if the authentication is being served locally versus coming down from SSL or something of that nature.

That might be, so it’s gonna be sort of figured out on, guess, depending upon the exact way you do things. We have the clarification that the network that transits the data to that point and the device itself, those 801.71 controls are not in play. We don’t know what other ones are gonna be in play at that point.

Sanjeev Verma (49:07)
I think for the general audience, is probably the average person, I want to be very clear on a couple of points over here. I do not want there to be any illusion or misunderstanding that says,

I have a VDI service and the VDI has CMMC compliance associated with the desktop infrastructure, the VDI infrastructure. And so all I do is I just go and log in into that and therefore I’m compliant. That is absolutely not the case.

All it is doing from a VDI perspective is it’s simplifying your compliance to the extent that your computer is not considered in scope, but you are an organization that has the rest of the requirements of proper training of your people and how to use it. 800 171 controls and processes, et cetera, apply to you. It can simplify.

the endpoint parts of your controls, but it should never be viewed as something that says, it’s some kind of a check the box where a service is available where all I do is just log into it. The same thing, know, we of course, you know, be used, Prevail can be used as a VDI, Prevail can be used with our drive function on an endpoint. We facilitate the storing sharing, you can use drive over here.

The simple point over here is.

Your computer that you’re using to access the VDI is out of scope, but the VDI is in scope and your organization is in scope. Okay.

Again you’re on mute.

John Verry (51:09)
did it again, sorry, I’ve been coughing. And just to be clear, the minute that that CUI leaves that environment and enters their environment, so if somebody writes it down and it’s sitting on a piece of paper, that CUI is still in scope. If they’re taking that information off of the screen and they’re using it on another machine or system, that’s it, right. So if I’m processing, if I stay within the VDI, let’s say I was doing

Sanjeev Verma (51:30)
and scope.

John Verry (51:39)
some type of design work where I was working like almost GFE, government furnished equipment. If I stayed within that environment, you know, then I’m going to be pretty well subsetted. I’m in scope, but, but, but it’s a reduced scope. But the minute that that data begins to leave that, then that scope gets much larger, much quicker.

Sanjeev Verma (51:56)
And I think that’s the operative point over here, that many people, think most, including the purveyors of these VDA solutions, purport to say that while it gives the impression that if you just use it, it’s just log into something and then you’re compliant. And that’s A, not the case. You’ve got to go meet the controls. And secondly, one of

the two limitations of these VDI solutions. One is very big cost associated with it. And the second is what you discussed, which is if you take that information out and you want to do something with it on any other computer, et cetera, well, that computer is an endpoint that’s in scope. And so what I often say is don’t be that afraid of an endpoint. The purpose of NIST 800171 wasn’t that your endpoint

It has so many requirements on it that it is scary to go meet it. You can pretty straightforwardly with basic hygiene have your computer meet NIST 800171 endpoint controls. And I recently was in a conversation with the author of NIST, Ron Ross, who again clarified that, you know, it’s not to disrupt the workflows.

All that said, if for some folks it is a little bit more convenient, it simplifies things to use a VDI and you’re willing to pay extra bucks for it, go ahead and do so. And for others, you say, okay, I’ll just make sure with an MSP that I have my endpoints, which is my computers, in scope and I have an antivirus on them, I have two factor on them, have encryption at rest.

Basically, those are the kinds of things that you need over there. There’s some kind of a SIM logging capability. And that endpoint is very well in control and you can continue to work just as you’re used to. don’t be afraid. Don’t be afraid of the endpoint controls and only use these VDIs if it truly makes your life easier. And not because you think that’s the only way to kind of meet it and it’s horrendously hard to do so.

with your standard computer. It’s not horrendously hard to do it with your standard computer.

John Verry (54:17)
All right, we beat this up pretty good. Did we miss anything?

Sanjeev Verma (54:21)
I don’t think so. think we basically have talked about all the changes that are coming. And I’ll simply say what the key takeaways should be. Get prepared right now if you haven’t already started, because it’s here. It’s not going away. Start implementing your program if you haven’t already started doing it. Recognize that it’s going to take some time.

for you to become compliant, you know, nine to 12 to 18 months. And the last thing I would say is don’t be scared. I mean, it’s the past four years. Yes, it took a long time for the regulation to become real, but companies like ours have sort of worked very hard to kind of understand things, simplify things, provide additional tools, documentation.

simplifications to kind of help you meet it. Is it a walk in the park still? No. But I think that it’s doable, manageable, and we’ll get so as time goes by even more so. So start working on it and don’t be petrified. But don’t ignore it. That’s what I would say are the key takeaways.

John Verry (55:42)
Yeah, I would say the other argument, like something which is comparative to five years ago, given today’s threat environment, especially the enhanced threat environment based on artificial intelligence and the things that we’re seeing there, that this is just fundamental baseline security that you need just to be a viable business and not be fully compromised by some type of attack that puts you out of business anyway. So, I mean, you the reality is, you you’re getting twice, your return is 2X, right? Your return is, I can continue to do work in the DoD if that’s what you want to do.

Second thing is you need to do this anyway, largely. I mean, there’s not a lot that CMMC makes you do that you wouldn’t do under the normal course of building a reasonable and appropriate cybersecurity program.

Sanjeev Verma (56:14)
think so.

I think that’s the operative guidance that I think you’re providing, which is so true. And I want to now riff a little bit as we conclude over here. It’s just common business sense that we operate in an environment where if you are a business, you got some money, you’re at threat, whether you’re in DOD or not, cost of these breaches is very high. The thing I do want to say is that

The cyber security industry is a bit of a snake oil industry, where I think there are a lot of products that are provided that have dubious efficacy. And if I could say one of the things that very much bothers me is that in this compliance pursuit, whether it’s CMMC or anything, people just try to check the box, which is understandable.

but ignore actual cybersecurity. And so this is an opportunity for you to be really, really taking cybersecurity seriously because you can get compliant with CMMC with a legacy solution that’s not that much more secure, but it’s compliant. And we come from a perspective and I come from perspective back to the Tetsubin example and the spirit of doing things right.

find out what real cybersecurity is. And that really means the notion that can your CUI be protected even if a breach occurs on a prevail, on the servers, on the admin, because that’s reality. There is no solution that can prevent an attack from taking place. But now we have solutions, including those that use, for example, end-to-end encryption.

where even if the server that’s holding your CUIs breach, nothing happens because the stuff is encrypted. If your admin doesn’t have the rights to decrypt everything, nothing happens because the admin can’t get to the information and there’s no fundamental breach. And HIPAA, as an example, has breach notification exemptions. So if your information is encrypted, you know, John, very well that if you are breached,

you don’t need to basically go and report it. ITAR now says that if you’re end-to-end encrypting stuff, you can basically store and share that without needing to meet the US person’s requirement for the cloud provider, et cetera. So I think that when we do this thing, pay attention to actually using the very best security, which truly means breach resistant security.

and using encryption as your friend versus just trying to say let’s find the simplest way to get compliant because it doesn’t help you when you get breached. It doesn’t do any good for you as a business so do the right thing.

John Verry (59:34)
Give me one second.

Sorry about that. I saw my dog sneak out the door and I didn’t know if the gate was up on the porch. All right. And again, apologies to whoever’s editing this. This has been an unusually disrupted thing. All right. So let’s just do our farewells. Sanjeev, thank you. I appreciate you coming on today. Always good to catch up with you. If folks want to contact you or prevail, how would they do that?

Sanjeev Verma (1:00:14)
So two ways. Number one, they can reach out to info at PreVail, P-R-E-V-E-I-L dot com, or schedule a meeting right on our website. If you have any compliance questions, we offer a 15 minute compliance consult. It got lots of CMMC certified experts on staff who know a lot more than I do.

And that would, I think, be the best way to reach out if for some reason I personally can help. It’s Sanjeev, S-A-N-J-E-E-V at Prevail.

John Verry (1:00:53)
Awesome, man. Thank you. If I don’t speak to you, have a great weekend.

Sanjeev Verma (1:00:56)
U.S. wallet joint.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 145: “CMMC: The Final Rule” With Sanjeev Verma

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What is AZRAMP and Does My Business Need to Comply?

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

How can we help you?

Services

Compliance

Insights

Pivot Point Security