Partial CMMC Solutions: A Risk You Can't Afford
The Cybersecurity Maturity Model Certification (CMMC) Final Rule, published on October 15, 2024, brings long-awaited clarity to how the Department of Defense expects organizations to protect sensitive government information.
From the outset, it has been clear that organizations handling Controlled Unclassified Information (CUI)—or with CUI-related language in their contracts—must comply with all 110 controls outlined in NIST Special Publication 800-171, Revision 2. The companion document 800-171a further details these controls into 320 assessment objectives.
Many software solutions claim to offer partial coverage for CMMC, boasting 80% compliance with simple implementation at a low cost. However, the remaining 20%—often of critical elements like the System Security Plan (SSP) and essential documentation and processes—can make or break a successful CMMC assessment. These solution providers often fail to mention that resolving this final 20% can require hundreds of hours, even for the smallest organizations.
Partial CMMC solutions are common in the marketplace but leave companies far from full compliance. Relying on these incomplete solutions without understanding the significant time and resources needed to reach 100% can lead to a high risk of failure.
While many CMMC controls may seem minor, they require substantial staff effort. The following six controls represent just over 5% of the total 110 CMMC controls and are unlikely to be covered by partial solutions. Yet, meeting these requirements can easily consume hundreds of staff hours or require costly external consulting or technical expertise:
ATX Defense asserts that any CMMC solution must provide a clear path for small businesses to achieve 100% compliance, as the CMMC Final Rule requires.
Many solution providers, however, mislead small businesses by claiming their offerings cover a high percentage of CMMC controls. For instance, a leading provider claims to satisfy the Wireless Encryption control (AC.L2-3.1.17) with its solution. While the solution may technically address the control, it is misleading because it overlooks that all devices using the solution fall within the full scope of a CMMC assessment. Without implementing costly technical controls across all endpoints or engaging a CMMC expert, most small businesses would struggle to provide the necessary evidence to pass the assessment—failing, as controls like AC.L2-3.1.17 must be met on the first attempt.
As a FedRAMP High-authorized platform, Google Workspace with Assured Controls can be tailored to meet most CMMC requirements. ATX Defense configures Google Workspace at no cost for its CMMC Space managed service, which, when properly configured, satisfies up to 88 CMMC controls, or 80%. However, the “last 20%” is significantly more complex and expensive than the initial 80%.
This is why ATX Defense has developed the only cost-effective solution on the market capable of meeting 100% of CMMC controls at an affordable price for small businesses. Based on ATX Defense’s research, other options are either prohibitively expensive for small businesses or offer "partial solutions" that are insufficient for successful CMMC certification. For small businesses, there is no clear path to 100% CMMC compliance without adopting CMMC Space.
CMMC Space is a 100% Solution
For a small business to utilize an external solution capable of reaching CMMC Level 2 compliance, three components are essential: CMMC managed services, a secure enclave, and a FedRAMP Moderate (or higher) collaboration suite. ATX Defense’s CMMC Space solution includes all of these components:
Recommended by LinkedIn
CMMC Space as an Innovation Sandbox
Due to the unique nature of CMMC Space virtualization, larger organizations may be able to use the CMMC Space service as an innovation sandbox that isn’t subject to corporate network or device restrictions. Access to CMMC Space only requires a modern Web browser and logging in to a Google account. Once authenticated, ATX Defense manages all Internet connections to and from the service within its Google Cloud Platform IL5 Assured Workloads instance.
Using GCC High within CMMC Space
Microsoft Office applications are not included in the CMMC Space solution. All Microsoft Office file formats can be opened, edited, saved, and exported to their original format using Google Workspace. However, some organizations expect to retain the ability to send Microsoft Teams invites to Government or Prime customers.
As a zero-trust browser-based Virtual Desktop Infrastructure, CMMC Space can support the full range of capabilities offered by the Web versions of Microsoft Office, such as Word, Excel, PowerPoint, and Teams. CMMC Space also inherently provides many of the security features only offered in the most expensive Microsoft Office GCC High editions. The Office 365 GCC High F3 license retails for $5/user/month and meets all the above requirements. ATX Defense is not a Microsoft reseller or partner, and doesn't recommend using solutions that aren't FedRAMP-authorized, but can provide GCC High through arrangements with a trusted provider.
Mobile Device Access
CMMC Space is optimized for mobile devices through Safari on iOS and Chrome on Android. However, some clients prefer using native mobile applications. ATX Defense partners with Hypori to offer its Halo VDI service for clients who desire a premium mobile experience. The Army uses Hypori Halo extensively, and the Air Force has a rapidly expanding pilot effort currently underway. Since Hypori Halo is also a virtualized solution, it renders mobile devices out-of-scope as defined in the CMMC Final Rule.
Lowering the Cost of Assessments
The CMMC Final Rule estimates the cost to a small business of a triennial CMMC Level 2 certification at $101,752. Most of this cost involves assessors traveling to client sites and assessing 110 controls against all company endpoints.
CMMC Space has the potential to cause much less expensive certification assessments for small businesses as they are only fully responsible for three out of 320 CMMC assessment objectives. Assessors are trained not to assess controls covered by an External Service Provider (ESP), which includes MSPs like ATX Defense. According to the CMMC Assessment Process, an “objective that is inherited is MET if adequate evidence is provided that the enterprise or another entity, such as an ESP, performs the practice objective.”
Additionally, since endpoints would be out-of-scope, assessors should not be required to travel. This will greatly reduce the certification cost for small businesses compared to a partial solution.
Conclusion
ATX Defense's CMMC Space solution offers a comprehensive and cost-effective approach for small businesses to achieve and maintain CMMC compliance. With flexible pricing tiers and an array of add-on services, businesses can tailor the solution to their needs and budget. By leveraging ATX Defense's expertise and proven track record in cybersecurity, organizations can navigate the complexities of CMMC compliance and focus on what's important - their core operations.
Founder & CEO at Hire a Cyber Pro | Cybersecurity Consultant & Recruiter | Helping Business Leaders Identify and Reduce their Cybersecurity Risks | M.S. Cybersecurity | CISSP | More Certs | vCISO | CMMC | USAF Vet
2moHave you passed a C3PAO assessment yet?
Army Veteran | Podcaster | Account Executive @ Zscaler
2moAwesome!
Cyber Defense
2moVery helpful