Partial CMMC Solutions: A Risk You Can't Afford

Partial CMMC Solutions: A Risk You Can't Afford

The Cybersecurity Maturity Model Certification (CMMC) Final Rule, published on October 15, 2024, brings long-awaited clarity to how the Department of Defense expects organizations to protect sensitive government information.

From the outset, it has been clear that organizations handling Controlled Unclassified Information (CUI)—or with CUI-related language in their contracts—must comply with all 110 controls outlined in NIST Special Publication 800-171, Revision 2. The companion document 800-171a further details these controls into 320 assessment objectives.

Many software solutions claim to offer partial coverage for CMMC, boasting 80% compliance with simple implementation at a low cost. However, the remaining 20%—often of critical elements like the System Security Plan (SSP) and essential documentation and processes—can make or break a successful CMMC assessment. These solution providers often fail to mention that resolving this final 20% can require hundreds of hours, even for the smallest organizations.

Partial CMMC solutions are common in the marketplace but leave companies far from full compliance. Relying on these incomplete solutions without understanding the significant time and resources needed to reach 100% can lead to a high risk of failure.

While many CMMC controls may seem minor, they require substantial staff effort. The following six controls represent just over 5% of the total 110 CMMC controls and are unlikely to be covered by partial solutions. Yet, meeting these requirements can easily consume hundreds of staff hours or require costly external consulting or technical expertise:

  • Develop, document, and update system security plans that describe system boundaries, environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.L2-3.12.4)
  • Establish and maintain baseline configurations and inventories of hardware, software, firmware, and documentation throughout system development lifecycles. (CM.L2-3.4.1)
  • Track, review, approve or disapprove, and log all changes to systems. (CM.L2-3.4.3)
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of undesired activity. (AU.L2-3.3.5)
  • Periodically assess the risk to operations (including mission, functions, image, or reputation), organizational assets, and individuals. (RA.L2-3.11.1)
  • Establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities. (IR.L2-3.6.1)

ATX Defense asserts that any CMMC solution must provide a clear path for small businesses to achieve 100% compliance, as the CMMC Final Rule requires.

Many solution providers, however, mislead small businesses by claiming their offerings cover a high percentage of CMMC controls. For instance, a leading provider claims to satisfy the Wireless Encryption control (AC.L2-3.1.17) with its solution. While the solution may technically address the control, it is misleading because it overlooks that all devices using the solution fall within the full scope of a CMMC assessment. Without implementing costly technical controls across all endpoints or engaging a CMMC expert, most small businesses would struggle to provide the necessary evidence to pass the assessment—failing, as controls like AC.L2-3.1.17 must be met on the first attempt.

As a FedRAMP High-authorized platform, Google Workspace with Assured Controls can be tailored to meet most CMMC requirements. ATX Defense configures Google Workspace at no cost for its CMMC Space managed service, which, when properly configured, satisfies up to 88 CMMC controls, or 80%. However, the “last 20%” is significantly more complex and expensive than the initial 80%.

This is why ATX Defense has developed the only cost-effective solution on the market capable of meeting 100% of CMMC controls at an affordable price for small businesses. Based on ATX Defense’s research, other options are either prohibitively expensive for small businesses or offer "partial solutions" that are insufficient for successful CMMC certification. For small businesses, there is no clear path to 100% CMMC compliance without adopting CMMC Space.

CMMC Space is a 100% Solution

For a small business to utilize an external solution capable of reaching CMMC Level 2 compliance, three components are essential: CMMC managed services, a secure enclave, and a FedRAMP Moderate (or higher) collaboration suite. ATX Defense’s CMMC Space solution includes all of these components:

  1. CMMC Managed Services can be provided at a low marginal cost by a Managed Service Provider, as they provide the same service to many clients. These services, such as generating the System Security Plan or Incident Response teams, are highly resource-intensive for a small business to create and maintain. ATX Defense offers support within its existing Service Level Objectives and Master Services Agreement.
  2. A Secure Enclave defines the boundaries of the CMMC assessment. This was traditionally accomplished with physical separation by defining the assessment scope as a subset of certain computers used only for government work, logically and physically separated from the rest of the organization’s IT resources. While this allows flexibility, it can also be incredibly costly for a small business to maintain. A more modern approach to create an enclave leveraging non-persistent Virtual Desktop Infrastructure (VDI), and ATX Defense leverages Kasm Workspaces from Kasm Technologies for secure workspace streaming. This removes the requirement for an organization's IT infrastructure to be physically and logically separated from devices that process, store, or transmit sensitive government information. The CMMC Final Rule has clarified that any endpoints that connect to a VDI solution are out-of-scope for CMMC, meaning that any device (even unmanaged personal devices) can leverage such a solution.
  3. A FedRAMP Moderate Collaboration Suite such as Google Workspace gives a small business the communication and business tools necessary to work with Primes. CMMC Space supports Microsoft GCC High, but It’s important to note that GCC High is not FedRAMP Authorized as of September 2024. It can be used for CMMC due to an “equivalency” exception. Google Workspace has been FedRAMP Authorized since 2021.
  4. (Optional) Other Work Applications necessary for work that the small business performs on a subcontract, e.g., 3D rendering software, modeling/simulation software, or a PDF editor that allows for digitally signing documents.


Three pillars of a 100% CMMC solution

CMMC Space as an Innovation Sandbox

Due to the unique nature of CMMC Space virtualization, larger organizations may be able to use the CMMC Space service as an innovation sandbox that isn’t subject to corporate network or device restrictions. Access to CMMC Space only requires a modern Web browser and logging in to a Google account. Once authenticated, ATX Defense manages all Internet connections to and from the service within its Google Cloud Platform IL5 Assured Workloads instance.

CMMC Space offers a virtualized, secure Chrome browser within any modern browser.

Using GCC High within CMMC Space

Microsoft Office applications are not included in the CMMC Space solution. All Microsoft Office file formats can be opened, edited, saved, and exported to their original format using Google Workspace. However, some organizations expect to retain the ability to send Microsoft Teams invites to Government or Prime customers.

As a zero-trust browser-based Virtual Desktop Infrastructure, CMMC Space can support the full range of capabilities offered by the Web versions of Microsoft Office, such as Word, Excel, PowerPoint, and Teams. CMMC Space also inherently provides many of the security features only offered in the most expensive Microsoft Office GCC High editions. The Office 365 GCC High F3 license retails for $5/user/month and meets all the above requirements. ATX Defense is not a Microsoft reseller or partner, and doesn't recommend using solutions that aren't FedRAMP-authorized, but can provide GCC High through arrangements with a trusted provider.

Mobile Device Access

CMMC Space is optimized for mobile devices through Safari on iOS and Chrome on Android. However, some clients prefer using native mobile applications. ATX Defense partners with Hypori to offer its Halo VDI service for clients who desire a premium mobile experience. The Army uses Hypori Halo extensively, and the Air Force has a rapidly expanding pilot effort currently underway. Since Hypori Halo is also a virtualized solution, it renders mobile devices out-of-scope as defined in the CMMC Final Rule.

Lowering the Cost of Assessments

The CMMC Final Rule estimates the cost to a small business of a triennial CMMC Level 2 certification at $101,752. Most of this cost involves assessors traveling to client sites and assessing 110 controls against all company endpoints.

CMMC Space has the potential to cause much less expensive certification assessments for small businesses as they are only fully responsible for three out of 320 CMMC assessment objectives. Assessors are trained not to assess controls covered by an External Service Provider (ESP), which includes MSPs like ATX Defense. According to the CMMC Assessment Process, an “objective that is inherited is MET if adequate evidence is provided that the enterprise or another entity, such as an ESP, performs the practice objective.”

Additionally, since endpoints would be out-of-scope, assessors should not be required to travel. This will greatly reduce the certification cost for small businesses compared to a partial solution.

Conclusion

ATX Defense's CMMC Space solution offers a comprehensive and cost-effective approach for small businesses to achieve and maintain CMMC compliance. With flexible pricing tiers and an array of add-on services, businesses can tailor the solution to their needs and budget. By leveraging ATX Defense's expertise and proven track record in cybersecurity, organizations can navigate the complexities of CMMC compliance and focus on what's important - their core operations.


Brent Gallo - CISSP

Founder & CEO at Hire a Cyber Pro | Cybersecurity Consultant & Recruiter | Helping Business Leaders Identify and Reduce their Cybersecurity Risks | M.S. Cybersecurity | CISSP | More Certs | vCISO | CMMC | USAF Vet

2mo

Have you passed a C3PAO assessment yet?

Like
Reply
Victor Franco

Army Veteran | Podcaster | Account Executive @ Zscaler

2mo

Awesome!

Like
Reply

Very helpful

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics