CMMC Compass Webinar - Protecting CUI for Defense Contracts: Visibility, Control, and Compliance

So hello everyone. Welcome to the latest installment of Virtru CMMC Compass Webinar Series. I'm Andrew Lynch, I'm glad that everyone's here today. If you're a defense contractor or a part of the defense industrial base, you know that protecting controlled unclassified information isn't just a compliance checkbox. It's really the heart of what CMMC is designed to do.

Today, we're gonna cut through the noise and give you a practical, actionable guidance on how to protect and control CUI in a way that supports you through your CMMC journey without disrupting the way your teams work every day. We'll cover the current CMMC landscape, as well as what that means for your organization and how a few specific softwares can add value with StreamScan and Virtru. We'll review what good CUI protection actually looks like in practice and how to make compliance a strategic advantage rather than just a burden for your organization. We have a great session lined up.

So let's dive in. Today I'm joined by Chris at StreamScan. I'll let him introduce himself and his organization in just a few moments. Just a few housekeeping items, as a reminder, we are going to be recording this.

So if you need to jump off, we'll send this to you afterwards. Also, if you do have any questions, feel free just to drop them in the chat box and we will address them at the end. We're gonna save some time for a live Q and A.

And then of course, if you'd like to request a demonstration of either StreamScan or Virtru, you should be able to do that here, or just by visiting our website.

So welcome Chris, before we get into the meat of things, can you give the folks here an overview of what does StreamScan do and what do you do over there?

Yeah, so StreamScan at its core is a cybersecurity company.

So we're based in Canada, so we're across Canada.

We started working in cybersecurity from twenty eleven.

Since there we've evolved, we were starting off doing just incident response.

Now we're moving into compliance projects a lot over the last few years.

CMMC has kind of come into play here over the last few years.

When we started working on CMMC actually, it was way too early. It was early twenty twenty, just right after COVID and everybody was like, sorry, I don't know what this is. I'm not gonna do this. So it's been a tough couple of years, but it's been picking up over the last year now with all the new rules coming out and you know, the requirements actually being forced onto contracts and to all the suppliers.

So what I do specifically at StreamScan is I'm helping customers, you know, go through CMMC, writing policies, SSP, evidence collection, anything that has to do with CMMC, making sure that they're ready for an assessment and then pass an assessment.

So I'm currently an RP. I did the CCP. I'm just waiting on my tier three. So I'm not sure if I'm a hundred percent allowed to say I'm a CCP yet.

So I'm just waiting for that background check to come back.

It's sort of like the conditional pass for those who have been assessed.

Cool. So yes, so StreamScan, and this is actually the second, series that we've done together, having some mutual clients together. But StreamScan is a little unique, Chris, where, you know, you all are offering a software and service that can be used to help meet some of the CMMC controls. But also, as you mentioned, you're actually consulting organizations through their CMMC journey. So could you share kind of what that means and, and the value that you've you've seen that's been able to add for companies that you've worked with?

Yeah. So we're we're an RPO.

We decided to get RPO status early on in the process. We were the first ones in Canada to do it.

We realized that that puts us at an advantage.

And the second part of it is we decided last year to get certified actually for a CMC level two for our cybersecurity team and our tools that we offer to our customers.

We know, CMMC is big on compliance, but it's also big on cybersecurity and protecting the data. And by us going out and getting certified, it alleviates that burden from the customers to not have to think about those controls that touch CUI or that protect CUI that we can take over.

So we help accelerate the process for a lot of the customers to say, well, know, hey, about forty percent of the controls will be covered by us just by getting our tools, so you don't have to think about that. So it lowers the cost, lowers the consulting time. And when you get to an assessment, the assessor would look at us and not at you guys for those controls.

Got it. And so what are the main CMMC control areas where StreamScan's platform is directly helping organization check those boxes?

Yes. A lot of it is everywhere. The controls, way that they they put them in in CMMC, we touch a lot of the domains, but the ones that we specifically hit pretty heavily is audit and accountability.

We pretty much do all of it other than making sure that your your NTP server is is nice and configured properly.

System and communication, we do quite a few in there and almost all of system information.

Risk management, because we do a lot of vulnerability scans as well as part of our our security assessment that we did.

We do a lot of that as well.

Cool. And so when the organization comes to StreamScan, are they getting a product? Are they getting a consultant? Are they always getting both? Could you walk us through this? What does that look like?

Yeah, so we're not fixed on anything here at StreamScan.

You can come in and as I say, we just need consulting help.

We need to do the whole project or we need to just do a validation before you get to an assessment.

You can come to us just for your cybersecurity needs and not CMMC or any other compliance.

You can come to us for incident response or you can come to us for all of it.

Value that we offer is that we have everything in house, that we're not having to go in and get other companies to come in to help with this part of cybersecurity, that part of cybersecurity. It was like, oh, we don't do incident response. We outsource it. That's not what we do.

We do everything in house. So, anyway, if you need any help, I pick up the phone. I call somebody else that is in another department and say, hey. Come join this call.

You know, they're they're talking about incident response. If they want some more information, we're we're right there.

That's great. Well, thanks for the overview of StreamScan, Chris. Just to share a little bit about Virtru because I didn't quite introduce myself yet, but, I manage a few of the sales teams at Virtru. On the Virtru side, we come at this at a little bit of a different angle.

We're specifically focused on protecting the data itself, encrypting your data upon creation, both at rest and in transit, all using the open source trusted data format that our co founder Will Ackerly was involved with inventing while working at the NSA. So I like to describe it, you know, StreamScan helps to see and stop threats on your network, Virtru really more so focuses on protecting the data that's being shared both internally, but also more importantly, externally and ensuring it's always protected and under your control. For CMMC specifically, Virtru is a FedRAMP authorized encryption platform.

We're helping really to address access control media protection and system and communications protections families within CMMC. Again, specifically for common workflows like emailing and sharing files. We don't do everything. Similar to StreamScan, we're not gonna cover a hundred percent.

We don't wanna claim that we do either. We've heard from, from clients and prospects that, commonly those tools that, that may say they do, when you actually get down to it, it's gonna require organizations to work around, specific workflows that are gonna be important. So we believe in flexibility and speed is really what leads to collaboration.

So Chris, can you give us a little bit of the lay of the land of where are we in the CMMC timeline and what are some of the important milestones that organizations need to be aware of?

Yeah, so we're currently in phase one, CMMC rollout. We're working towards phase two. It'll start November, twenty twenty six, November tenth, twenty twenty six, which will start mandating CMC level two on some contracts.

So it's not a deadline that you need to be certified by November tenth. I know that's kind of what's being pushed out out there. That's not it. It's not on November tenth, know, after November tenth, you're done, you don't have CMC level two certified, you can never work in defense again. That's not true.

That is what they're trying to do is give people time to get certified. They know that this is not an overnight thing.

So if you do have that in your contracts, beware of your requirements after November tenth, because that's when they'll start mandating it on a lot of the contracts.

Thanks, Chris. And yeah, I was just checking out the most recent cyber AV town hall where they put you know, several statistics. One is how many organizations have been assessed, through a C3PO, which it was right around twelve hundred or so, either passed or again, the conditional pass. So still a lot of work to do.

And to that point, Chris, yeah, we hear from prospects and customers that are again, wondering when and why maybe they're seeing that they need to be level two certified.

And maybe Chris, could you speak to that? Because again, organizations sometimes come to us and they say, hey, we don't handle any CUI. We haven't yet ever. We don't know if or when we will in the future, but we're being told that we need to meet CMMC level two. What would you say to that? Where is that maybe coming from?

Yeah. So I I think now a lot of, you know, larger primes or OEMs are they're really coming in and saying like, hey, everybody in my chain has to be level two, which might not be the truth for a lot of them. I think they're just sending out mass emails and just, you know, telling everybody, hey. Please do level two.

Where you need to really look is is your contract itself.

Look in the contract. There's specific DFARS clauses that are in there that will tell you what you need to get done.

Then also look at the type of data you're receiving from these contracts.

You know, if they're diagrams and pictures and and, you know, PDFs of of, you know, specifications, all that falls under CUI, which falls under level two.

But again, if you're not a hundred percent sure, you know, call your your contracting officer. Right? Ask him what's going on? What do I need to do? Do I have to actually do level two? Instead of a generic email that everybody is sending out, you know, really get in touch with with that contact that you have with the company and just really, you know, hammer it out with him and see what do you actually need to get done. Because the difference between level one and level two is really large.

It's, you know, level one can be done pretty quickly. Level two can take a really long time and cost a lot more than just doing a level one certification.

Yeah, thanks Chris.

Some good recommendations there. To add to that though, could it also be that, the prime is saying that, well, you may not have needed to receive CUI previously, but you may need to be prepared in the future. And that's where getting level two certified is ensuring that you're able to support a contract or parts of it in the future that may again require handling CUI.

Yeah, so what is happening now in the market and what we're seeing, because we do work with certain primes that we help with their supply chain as well as supply chain risk.

And we're going to all of their subcontracting subs and just working and saying, hey, where are you guys at? Are you guys on CMMC? Do you wanna do CMMC? Do you guys wanna move forward in this? To give visibility back to these large primes or large tier ones.

And what's happening is that a lot of people are saying, I don't know if I want to continue in this. I don't want to go forward in CMMC.

You're sending me contracts that are ten thousand, twenty thousand. And just to get assessed to it, you're looking at forty to eighty thousand. It's not worth it for me to do it, and a lot of people are dropping out of the defense space.

So what's happening is they're grabbing people who are already in their ecosystem to fill those gaps. They don't wanna go out and and search for a new, you know, supplier or vendor or anything like that. They'd rather get somebody that's already doing it and say, hey. We're just gonna give you more contracts. Now this includes CMMC or CUIs.

So please get ready for that. So it could also be an an advantage for some people to just, you know, talk with them and and see, hey. Is there an opportunity for me to work more in defense or pick up some more contracts from you? And then, make it a business case to see if this is worth it or not.

Thanks, Chris. So let's talk about some common examples that I'm sure we're both hearing, thinking about maybe a small to midsize manufacturer or engineering firm that is supporting some defense contracts, distributed teams, people working out in the field, lots of file sharing with external parties.

Where do you typically start when you're scoping that sort of organization, working towards CMMC level two?

Yeah. So I I like to go and and look at existing contracts that they have, you know, identify ones that are military versus nonmilitary, and then just kind of map out where everything goes.

You know, from there, we have a better view of what your needs are, what you're missing, or how you're sharing the data.

You know, we wanna offer you the right solution for you, just not you know, not just our solution. Right? It might not be us that is the best fit for you guys. You know, we wanna make sure that that customers are taken care of and they're getting through this, you know, quickly and the most efficient possible. Right? We don't wanna you know, a customer that's not on prem, we're not gonna start telling them, hey. Go buy, you know, forty thousand dollars of servers and racks and switches just to stay on prem because it's easier.

Yeah. It might be for some people, but, you know, that cost of going everything back on prem might not be for them. Right? So that's kind of where we look at their soap and how they're sending data and how everything is moving in their system, and, you know, something like Virtru might be the best for them.

You know, we we always look at what's best for the customer and not what's best for us.

Yeah. Thanks, Chris. Yeah. We also believe flexibility again, you know, Virtru we're, we're not itself an enclave.

It could be used within one that you're building, but, again, we're not one of those, one stop all in one solutions. But again, we hear that those can be a good solution in some cases, but often when it actually then comes out, we need to download and edit CUI. It's other things are in scope that maybe hadn't planned needed to be. So, yeah, I would agree.

We, we hear that pretty, pretty regularly too. Another thing that we hear about pretty commonly, Chris, I'd love to hear your take on this is organizations figuring out where their CUI actually is emails, shared drives, on premise, etcetera. How do you help organizations get their arms around that?

Yeah. So the most difficult piece right now is nothing or not much as tagged CUI today.

A lot of the contracts are not telling you this is what CUI is. This is not CUI. So it's kind of everywhere.

What's great is that a lot of the CUI or the military data or documents that are going through are already separated in a lot of organizations and say, oh, this is for this customer. This is for that customer. And they already have it a little bit separated.

Where it gets difficult is when customers don't have any CUI or they're not sure.

You know, we're kind of going in a little bit blind and just saying, well, let's build out an enclave and just say, well, this is where everything's gonna get stored, and then kinda grow it from there. Only because there's no way to figure out what it is, what is CUI, what's non CUI. They don't have a clear view. They're not sure, they called their tier one and they're not sure either, nobody can tell them exactly what is CUI, what's not CUI, so we're kind of just guessing, saying, this is what we wanna do, this is how we wanna protect it, so that when we do get something that's CUI, we know where it goes. We know our workflows. We know what we need to do to protect all the data.

Yeah, thanks Chris. And, and yeah, again, we, we, we hear that too, where, it's, we don't have any CUI today and, and yeah, it's one thing to map out a plan for when we do get it, we're going to put it here in this system, but, you know, again, even identifying upfront, what may already be CY that you have, and then, you know, will, will that workflow of it's all going to be in this one virtual environment actually be conducive to business down the road later. And that's again, where Virtru kind of fits in well, it's flexible and can be used in multiple environments.

So one scenario that, comes up, pretty often of course is sharing data, externally, maybe it's a technical drawing you need to send, externally to a government agency. So, what happens to an organization CMMC scope once the data actually leaves their environment? What are the responsibilities that OSC has to have taken into account for data that leaves?

Yeah, so your requirements, I wanna say the end, the second it enters the other customer's environment.

But what you need to do before even sending it, you need to make sure that they are at the same level as you. Right? So if you're sending level one data, well, you need to make sure the other the other side of you know, the other customer is also level one. If they're level if it's level two data, you need to make sure that they're level two.

So that's your immediate obligation, and it falls on you. It doesn't fall on anybody else. You know, if they if they lie to you, if they do anything that's not on you, just make sure you have everything documented. You know, do it by email and not over the phone so you have something on paper.

Once they tell you, hey. Yeah. We're level two.

They can send you, you know, SPRS score. They can send you a copy of, you know, their COMC certification. You know, anything like that to prove it to you that, yeah. We're, you know, we're level two. We're ready to go.

Don't have to go into their network and check how they protect their data. You don't have to do any of that. What you need to do is protect the data leaving your system. And then the second it gets to their end and they download it, it's not it's no longer on you.

Thanks Chris. Yeah, we get asked that sometimes too, scenario questions where it's, you know, what if we receive something that it wasn't encrypted to the level it needed to be?

And from my understanding, it's as you just pointed out, well, number one reminder, if you're receiving CUI, you know, they need to be level two also. So they need to have safeguards in place. But that's also from my understanding called spillage where hypothetically, if they weren't and they did send something incorrectly, there is a process to then go through, to alert them, deleted, expunge it, log it, etcetera, to address that.

But, yeah, that's a good reminder that, CUI is only really supposed to be shared, with another organization that's level two certified in the future.

Right, Chris?

Yeah, that's exactly. That's the biggest piece, right? Is make sure that you're protected, do the certification properly. Don't lie to your assessor. Don't try to hide anything, Be open.

And, you know, whatever happens at the next organization that's not on you, you know, they're supposed to be, you know, telling the truth, you know, so you gotta trust them and make sure that, hey, you got your certification means you did something right, we trust you. But again, if something happens in their system, it doesn't come back to you. You come out and say, hey, they told us they're certified, here's the proof that they sent to us. And you know, we didn't we know we're not gonna go any further.

We're not gonna start, you know, testing and then, you know, auditing them or, you know, checking their systems or anything like that. You know, they got their certification. They said they were doing it right. That goes on them.

Thanks, Chris. So I know CMMC also has specific requirements around incident response and threat monitoring. So what does good look like for a small to mid sized defense supplier and what does not ready look like?

Yeah. So inside response is something that not many companies can do, or if they can do, they can't do it well.

You need to have an expertise really in that.

It's not just, hey, I have something happened in my network. I'm just gonna unplug everything, and then I'll reboot it the next day and we'll be okay. That's not, yeah, it stopped the attack right away, but the second you turn everything back you restarted everything.

So really getting through those policies and really documenting everything, that's what CMMC is really looking for, and that's what all the CMMC is. It's documenting any changes to your system, documenting your incident response plan, testing your incident response plan, and being able to say, Hey, maybe we don't have the expertise for this. Maybe we do need to find somebody external to come in and just be a retainer. We don't have be in your system, we're just a retainer in case something happens, say, hey, this is over our head, we need to call somebody to come in.

Be prepared because attacks are happening more frequently.

Defense companies will be a bigger target coming up in the future.

And that military data is very sensitive you know, to the Department of Defense.

So, you know, be aware that you might not have a hundred percent of the expertise, you know, to fight off any attacks or anything like that.

Thanks, Chris. And so for an IT team, that's more historically, managing security from a reactive approach, what would be some of the first capabilities that you would recommend they put in place towards monitoring for CMMC purposes?

So there's a couple requirements around monitoring. So they ask to monitor your perimeter.

So make sure that you're monitoring everything going in and out of your perimeter, make sure all the endpoints are monitored and they have antivirus that's up to date. Right there, you cover a lot of the bases, you can see if anything happens.

Also don't go buy tools that are just shiny, might not be the best for you. Really making, you know, an educated decision on it. You know, just because, you know, Microsoft has a product doesn't mean it's the best for you. Right? It's not none of these tools are one size fits all.

Some companies like to have more hands on, some people like more customer service. I don't wanna talk to an AI bot for five minutes while my company is burning to the ground. I need to talk to somebody today. Well, maybe I'm not gonna go with the larger company. I'll go with a smaller company that when I call, they answer, and it's a human. And so that could be something that people look into, you know, it's preference by by company.

Thanks, Chris. Let's switch to another topic that comes up, which is around specifically needing to audit CUI.

So can you speak to what are the specific CMC practices that directly call out the need to control an audit CUI that's being transmitted, accessed or shared?

Yeah. So all of the domain family of audit and accountability really looks at that.

So what is being logged, what is being tracked, what is being tracked in the logs as well. You won't just wanna get a bunch of logs, but it doesn't have a username, it doesn't have anybody, you don't know who did it. So those are all things that you wanna make sure that are in there, that you can trace it back to a certain person. So if they access CUI or access, you know, VPN, right, you have the VPN logs and all of a sudden, you know, that same person is logging in from, you know, Thailand.

It's like, well, how did you get from, the US to Thailand in three hours? That doesn't make sense, right? You have to have tools that can make those judgments for you, make sure that everything is accountable in your system so that anytime anybody does an action, it is an approved action, and you're not reacting to problems. You didn't know that this person had an access to CUI data, and all of a sudden now he's, you know, extracting data, or he's, you know, a system admin who has full permissions on all your network, and all of a sudden, he's downloading data.

You wanna be able to see that and what's going on and who can react to that. It's it doesn't take time Right. To get this data out. Like, the second they're in, they're exfiltrating data.

You should be able to know pretty quickly, and that's what these tools come in and do. Right? So they alert us to any data being exfiltrated, any, you know, anomalous behavior, you know, any, sniffing attacks or anything like that from from other countries, we can block you know, go from geolocation, block specific countries so no IP addresses from those countries can log in.

It does sometimes cause issues for some companies that are traveling. People are traveling and, you know, all of a sudden, they they logged in from US, and then, you know, the next day, they're logging in from, you know, somewhere in Europe. And, you know, that block the the VPN can actually be blocked from other locations. So it could cause a little bit of an issue, but you always wanted, you know, to block something instead of letting, you know, malicious activity come through.

Thanks, Chris. Yeah, I'd love to hear your take on where you see specifically StreamScan adding some value into some of these controls. Just thinking to your comment of, where Virtru uniquely fits in there is, because again, we're doing object level encryption, we're encrypting every piece of data separately with separate sets of keys. It does allow for a really true granular auto capability where you always know what's happening to your data. And then the comment about blocking things, or if there was an incident, that's really, we hear a great use case for the Virtru private key store, it is an option for our customers to host their own encryption keys with their own private key server. And one use case is if you were to disable that, our customer, we don't have access to it, that actually would shut down anything being accessed because nothing could essentially be decrypted.

So that specifically resonates, I think with our customers. I'm curious to kind of your take around maybe StreamScan there too.

Yeah, so encrypting everything individually, it causes a lot more issues for, you know, hackers to come in and they have to break every single encryption one by one to be able to, you know, extra trade a lot of the data. Whereas, what we most commonly say is, hey, we we just encrypt, you know, the server.

And once you break that encryption, you pretty much have access to the whole server.

Now where you guys come in and do, you know, some great work is is giving the option to the customer. Like, do you want, how do you wanna store the data? How do you wanna encrypt it? Where do you want the keys to be stored?

It it gives flexibility for a lot of customers. And even on our side, we're you know, we know that we can set alerts to if ever that, you know, key goes down, we can be alerted and we know, hey, there's some major attack going on.

Another good piece of our technology is, you know, we're on all the endpoints as well. And so if we see that an endpoint was hacked, we can actually quarantine it from the network. So it won't keep moving forward into your network. So a lot of times, hacks happen because people click on links and they put in passwords, then, you know, their device gets hacked.

And the second we see something like that happen, we can quarantine the machine from the whole network. We just basically cut everything off. Right? So it can't go from one machine to the next, and that's usually how ransomwares start. They get they grab one machine, they go to the next one, they go to the next one, and then by the time you figure it out, it's half of the network is closed.

And now you're sitting there trying to unlock everything. You know, we can come in and just block that machine, close it, and it won't go further than one machine. You only have one machine that's locked. There's no data store on it. There's nothing of value on there, And then we just back it up and reboot from there and keep working. Thanks, Chris. Yeah.

And you were mentioning protecting endpoints and that's something that has come up and I know there are alternatives to Virtru where commonly it's they're trying to show how you could maybe keep your endpoint out of scope. I think our most common scenario is we're telling people with Virtru it's going to be in, but also from a practicality perspective, I'm just curious from your experience, you know, how often is just from what someone needs to do, where they need to edit things and, know, handle them on their endpoint CUI. How often is the endpoint going to be in scope? And would you even, would you recommend just planning towards that? What's your take around that?

Yeah, it really depends on the type of company that you are manufacturers, I would say most likely, you know, you're manipulating drawings, you're putting them into different, you know, software, CAD software, SolidWorks, things like that. So it's already going on to your system.

Where we see companies getting their endpoints out of scope is when they're quite small, and they're just looking at a piece, and then they don't have to write anything down, they don't have to edit anything. It's basically go build this, and it's something that's basic. You know, it's a box of, you know, it's eighteen inches by twenty four inches, you know, made out of this material. And so I don't need to manipulate it.

I don't need to build. I don't need to download it. I don't need to print it. I don't need to do anything.

You can get you can get endpoints out of scope.

But I would say most companies, your endpoints are gonna be in scope just by what you do day to day.

Yeah. And I've also learned that, you know, it's one thing to plan and then get assessed for one environment to then later find out this just again, not work for us. We need to be able to edit it. And then you're kind of a little bit back to the drawing board where again, where Virtru fits in is, is more of a flexibility approach where it can be used in multiple environments.

It could be used in Enclave or it could be used enterprise wide. But thanks for sharing that perspective. I know we've talked a little bit about encryption and that is specifically, where Virtru does fit in. Could you though remind us all, Chris, what are the specific requirements around encryption for protecting CUI?

Just walk us through what those look like in practice and we'll take it from there.

Yeah. So the requirement for encryption is that any encryption that you use to protect a store transmit CUI has to be FIPS one forty dash two validated. It has to be actually validated. It can't just be FIPS one forty dash two. You have to find the module on the FIPS validation website.

I know now they're moving to FIPS one forty dash three coming, I think, in September or October.

So I think it's gonna change from there, but you need to really be on that website. It's the only thing that they will they will check. You can have the right encryption. You can be, you know, SHA two fifty six.

Right? But it has to be FIPS validated. That module itself has to be FIPS validated. You can't just say, well, you know, SHA two fifty six is good.

You know, AES one twenty eight, AES two fifty six, whatever it is. You need to make sure that behind it, that module is validated and you can only find that online.

Yep. Yeah. And that's where it's, for example, with a Virtru, everything is built to comply, but to your point, it has to be fixed validated.

And we have that right on our Virtru Trust Center, just transparently, which then links to the NIST website. So we have our CMVP certificates. I'm curious to that point, what are some things that you look for when you're helping to consult an organization around the encryption tools they're using? For example, do you ever come across tools that are adequate, but maybe the vendor isn't making it easy enough to actually confirm that?

Yeah, we've seen a lot of vendors that are saying, we have our attestation. I believe it's c a v m.

It's not valid. It's not a validated module.

That's when people are saying, yeah. We're good. You know, we're okay. But then you start searching them up online, and they're not there, you can't find them, and they're not providing any data because just getting that FIPS validated certification is not FIPS validated module. The module itself is not validated yet. It's the first step, but they're not at the second step.

The second side of it is we see a lot of companies that use VPN that are attached to their firewall, which then forces your IPS mode on your firewall. This And a lot of companies don't know that. And it's a huge, huge point that has to be assessed and can cause to a conditional certification, a failed certification. It's the only one that is allowed to be conditional. But again, it's a it's a big surprise when you get to an assessment and be like, well, we're using, again, you know, AES two fifty six or SHA two fifty six and be like, this is what we do.

But it's not FIPS. Your firewall is on FIPS mode, so we can't accept it. Yeah.

So so so recap, make sure you're using and your vendor is showing you the actual validated encryption modules, CMVP certificate, which again, Virtru has read on their website. And I think where some of that confusion could come from. And the next thing I wanted to talk about is the whole Federamp piece, because with that, it doesn't have to be authorized, for example, it could be equivalent. So I think sometimes maybe there's the mix up of, oh, with FIPS, that's also adequate. It can just be equal, but not actually authorized.

So could you just remind everyone around the FedRAMP aspect, what are the actual requirements around FedRAMP when it comes to cloud tools for CMMC level two?

Yeah, so FedRAMP is a standard that US government created for all cloud providers to protect sensitive data. It is also the requirement when you're using it to protect store, transmit or process CUI data on the cloud.

You need to have that FedRAMP authorization, so FedRAMP moderate or high, and you need to be part of that marketplace.

You need to be able to find that cloud instance that you're using on the marketplace itself, and then you would inherit a lot of the controls from there.

And it's it's a must. You cannot have a cloud environment that doesn't have that FedRAMP, you know, certificate behind it. So if you're using something, you know, like most companies are using the Microsoft tool, well, Microsoft basic or Microsoft e five is not actually FedRAMP. You have to go to the higher versions, which a lot of companies don't know.

Because you search on Microsoft FedRAMP, and it says, yes. You know, we're FedRAMP, but then the instance you're using is FedRAMP. So it's a lot of just fact checking and looking behind the scenes, making sure that, you know, the company that you are using in FedRAMP, that they're actually in the marketplace itself. And not saying, yeah, we're, you know, we're compliant or, you know, we have everything ready.

We just don't have our certification yet. We didn't pass our assessment or anything like that. They have to pass it. They have to be able to prove that they come through it.

Yep. Yeah. And I do know what this specifically, it's the equivalency is acceptable. So it's either the equivalency baseline or authorized. So Virtru, we are FedRAMP authorized in the marketplace.

But I have heard Chris, and I'm curious your take on just there are some differences from just assessment perspective between using something that's either FedRAMP equivalent or authorized. And maybe if you could speak to that from your understanding.

Yeah. So when you authorize itself, the assessors are looking at what the solution closes. And then they take that and it's okay, great. You close all these points. Where when you have the attestation or the equivalency, they still have to do some checks to make sure that everything is okay.

So you get an advantage by working with a company that is already assessed and certified.

Thanks Chris.

So yeah, you mentioned, and you all be in Canada. I know this has come up where, one big hurdle for the Microsoft commercial cloud is that to your point, it's not FedRAMP.

If you, if you look up just Microsoft in general, yes, they have authorizations, but it's only specific instances, the GCC, GCC high. And, and, you know, that's not always an option for, for a company just whether they have an infinite funds or not, or technical ability, right? There's instances where organizations are not able to purchase the specific SKU. So could you speak to that from your experience, just maybe working with Canadian organizations?

Yeah, so to be able to get Microsoft GCC or GCC high, you need to have a US person. So it has to be US citizen, and then you also have to have a US based location.

So you have to have both of those to be able to get access to a GCC or GCCI instance to then be able to close the data properly, and then you can, you know, do your CMMC from there. The problem is in Canada is a lot of us don't have a second location.

Know, small mom and pop shops that don't really have anything on prem. We're just working out of SharePoint and OneDrive and stuff like that.

Have are are really having an issue now is is we can't get on to that. And the cost of it is also pretty high.

But the the difficulties also is, you know, here in Canada, we're also doing a similar CMMC program.

And if you get a cloud instance, you know, that's FedRAMP, you can also get a Canadian cloud. You have to get two. Right? So the there there's that too that companies have to look for as well.

Yeah. Thanks, Chris. And I I I think of course, you know, by now it it's becoming, more aware that again, GCC, GCC hire are not the only options, you know, when it comes to meeting CMMC, there are third party tools like a Virtru, for example, as well as other options too, Enclave providers.

But, we specifically, again, that we're non enclave Virtru, have organizations that are using, for example, just our Secure Share product within GCC or GCC High, just as a easier alternative for sending and receiving files. We have, organizations using the commercial cloud, but using Virtru for again, email or our collaborate to store CUI at rest and organize it.

We're essentially, you're able to take that, you know, Microsoft commercial cloud aspect of scope. You won't use OneDrive or SharePoint because again, it's not Federate, but these are, these are trade offs that are usually more affordable and faster to implement. So, good, good for everyone to know that, that there are truly options out there, but not something still that everyone knows. So switching gears a little bit, Chris, you know, when, when, when you've consulted with organizations and then maybe been in involved with their assessment, When you see a customer using a tool like StreamScan for MDR and network monitoring, how does that change the conversation and help around the, you know, the the specific families that you guys are supporting?

Yeah. So we we have a shared responsibility matrix that we will share to the customer and also to the assessor.

And we will let the assessor know that, hey. They're inheriting these controls from us.

Also, gives a little bit of a break for the customer when we're in that week of assessment. Say, hey, like, you know, I don't have to answer these questions. I've just been grilled for the last three days. Now StreamScan's turn to get asked some questions. So you get a little bit of alleviation of pressure there.

You know, we'll work towards getting all the evidence ready that you need.

We'll make sure that everything is configured properly and it's set up properly and that, you know, the documentation is done right, and that's all done by us anyways.

So when you get to an assessment, you know, you're looking at, okay. Well, forty percent forty or forty three percent of the way there, you know, StreamScan is getting us there just by their tools.

So the customer gets to it said, I only need to hit, you know, fifty, you know, fifty to sixty percent. And I don't have to go too much further, and I don't have to stress about answering all these questions because Stream ten is there, and we're there during the assessments as well. And we help customers go through all of these, all the policies, all the domains, every single control on assessment objective. So we also have the answers. So we're there to you know, as a backup, we don't wanna sit there and answer every single question for the for the customer.

It does look bad if we do that, and then it looks like the customers what they're what they did or what they're doing. But we're here as a backup, and it's it's good, you know, safety net for a lot of customers. Yeah.

I think similar, you know, we, we also of course have a shared responsibility matrix at Virtru and, you know, we, we have the kind of key pieces of documentation that we provide to customers. And I, and again, we have mutual, customers who have already been assessed and achieved level two. And, I always say that, no news is good news where we've had countless organizations pass their assessment and we didn't even know they were getting assessed. Of course, would like to know. So plug for any Virtru customer, feel free to let us know when you book your C3PO assessment.

But I think that speaks to just the ease of use or rather ease of implementation, the simplicity around vendors that you're selecting, the federap authorization. Would love maybe Chris, if you could just share for those who familiar with StreamScan, just kind of what the implementation timeline looks like complexity at a high level.

So there's different options that we offer. Right?

Traditional consulting does, you know, call us when you need us. It does take the longest. You're looking at at least a year depending on the, you know, the company and the and timelines that they're they're in.

You know, getting our tools in place, just our tools and our consulting together, you're looking at probably closer to six to eight months to get ready.

And then our last, you know, type of product is is not an all in one, but it's pretty close. But we only do it for on prem. You're looking at eight to twelve weeks to get that ready.

Great. Thanks Chris. Why don't we move over to some questions? The first question we had is how are you providing evidence of separation of duty?

Yeah, so in that control, so control three point one point four, the first part, you need to write out which duties need to be separated.

The second part of it is you need to assign those two different members.

And the way to prove it is show the security groups and the permissions of those two users to make sure that they're not in all the same groups, that they have all the same access. Well, you know, you're not really separating anything.

A lot of times what we do to show this is we say that the person who is approving access to CUI doesn't give the access to CUI. So we separate it by IT versus, you know, a a manager. Right? So they send in a request to be approved to to join the CUI group.

That gets approved by a manager, and then an IT administrator enforces that. Then you can show IT admin doesn't have the same access as the manager, and the manager doesn't have access to the IT side.

Thanks, Chris. Related to that around just kinda, you know, asking about some of the specific controls, could you speak to are are there some controls that from your awareness are almost impossible for a third party vendor to take over or to inherit. So I guess said another way, what are some of the controls that definitely the NOSC is gonna need to actually do by themselves?

So a big part of it is physical, the physical side.

Now you have some tools that will help you get there. You have cameras and you have alarms and you have door lock systems, but they don't get you certified just by having those. You have to have the policies written and all that stuff.

Everything else, you can pretty much get it externalized.

It's really that physical piece that no one can really come and do it for you unless you get a security company to come in and start putting up fences and posts and say, well, we're inheritor controls because we're doing this. I don't think I've ever seen that out there in the marketplace.

Thanks, Chris. Specifically for Canadian companies, are there any specific requirements around where the keys are hosted or where the data is stored that would impact CMMC?

So it depends. It depends on how your system is kinda configured.

Now just doing CMMC itself, the data can be exported. So it falls under export control, and then it falls under a similar program like ITAR in Canada called the control goods.

And then you can have the data on prem, but if everything is in the cloud, then everything has to stay on the US side in the cloud.

Okay, great.

Well, I think that wraps it up for today for the questions. Again, thanks Chris, for joining. Very insightful comments around where StreamScan can help as well as Virtru into an organization CMMC journey, as well as just what to expect some hurdles to consider.

And I would speak for both of us that, you know, both organizations are here to support you.

And if we don't know the answers, we'll find someone that hopefully does, but appreciate the time, Chris. Again, anyone looking to speak with either Chris or myself, please feel free just to reach out to us via our website.

And we'll see you on the next one, Chris. Thanks again.