Should You Use File Sharing Tools like PreVeil for CMMC Compliance?
There is nothing wrong with file sharing tools, but CMMC compliance comes down to dataflow: can it protect CUI/ITAR throughout its lifecycle? For 100% confidence in passing CMMC audits, M365 GCC High is the recommended solution.
“Bottom line is we wanted to achieve CMMC compliance. Considering the Dec 2023 release of the DoD memo regarding Cloud Service Providers (CSPs) and their FedRAMP status impacting the DIB’s ability to achieve compliance, we had to ensure there were no risks with our CSPs. Transitioning from PreVeil to a Microsoft 365 GCC High secure enclave backed by Microsoft’s O365 platform brings familiarity to all our users. More significantly, we wanted to regain centralized control of data permissions, sharing, and configuration management. M365 GCC High will afford achievement of these goals.”
- Debra Hill-Cherry, CIO at PSI Pax Inc.
TL;DR Version
Transitioning from file sharing tools like PreVeil to Microsoft 365 Government Community Cloud (GCC) High is driven by the need for comprehensive CMMC compliance, as file sharing tools can't fully protect Controlled Unclassified Information (CUI) throughout its lifecycle.
Key points from this blog:
- M365 GCC High offers a comprehensive environment, whereas file sharing tools are add-ons that users may not consistently use.
- Users tend to stick with native applications (e.g., Outlook, SharePoint) rather than third-party plugins, increasing the risk of non-compliance.
- Microsoft 365 GCC High secures data throughout its lifecycle, while file sharing tools might only protect data in transit or rest, not in process.
- M365 GCC High includes built-in endpoint protection, unlike file sharing tools that require additional solutions.
- While file sharing tools may be cheaper, they pose higher compliance risks. M365 GCC High may seem costly, but Microsoft Commercial + all the 3rd party compliance solutions needed can get as expensive as GCC High by itself.
For CMMC, there is really only one question you have to answer: Is ALL of my CUI protected ALL of the time?
In conversations that I've had with numerous DoD contractors as a CMMC Certified Professional (CCP) here at Summit 7, there is one issue that keeps coming up when leaders are choosing between Microsoft 365 GCC High and a file sharing tool like PreVeil as their CMMC solution: file sharing tools simply do not capture the full data flow of CUI.
Really, M365 GCC High vs. a file sharing tool is an unfair comparison as it relates to CMMC compliance. Microsoft 365 GCC High is a comprehensive compliant environment for your users working with CUI to migrate into; file sharing tools are bolt-on 3rd party plug-ins to your current environment that your users will try to juggle securely.
And yet, these solutions are often compared as apples to apples.
So, what’s the difference and why does it matter?
The 3 Questions You Should Ask When Choosing Between Microsoft 365 GCC High and File Sharing Tools like PreVeil as a CMMC Solution
1. Are my users going to actually use it?
As any IT person knows, users always take the path of least resistance. When users are presented with a “plugin/app/website” versus “Outlook/Sharepoint/Teams” - they will inevitably use the native apps (Outlook, SharePoint, Teams).
With these bolt-on compliance solutions, you are playing CUI hot potato. If anyone lets it hit the ground, everyone loses.
A file sharing plugin is not the main highway of data in your organization. Your users are already using an email application and likely a cloud storage application. The plugin will be an additional application on their desktop or mobile that must be used every time CUI is handled.
One of the biggest issues we hear from companies leaving PreVeil and other file sharing tools is the stress and risk it brings to train and trust their team to use it.
With a file sharing tool, your data is bifurcated. Do your users want two email accounts to check? Two drives?
You can’t force your users to use a third-party plugin. Can you trust your new hire to remember which documents need to use that new application they learned last month? Or when your seasoned team member has a rush job and they have an Outlook and PreVeil app on their phone and need to send something along quickly, which do you think they will choose?
You can’t force external parties (partners, primes, etc.) to use YOUR compliant tool. If you think your users are hard to train, try to retrain an external company who has your name/email address already queued up in their Outlook autocomplete - or even just replying to an old email.
If that worries you, do you have plan to constantly monitor compliance? Who is going to make sure all the CUI ends up in the plugin drive all the time? To stay compliant, you will need someone constantly internally monitoring your environment to make sure that one safe route is being used.
Who does the DoD/DOJ hold responsible if a bad user puts CUI in a non-compliant environment? The bad user isn’t solely held responsible: the DoD/DOJ holds the company liable.
2. Can File Sharing Tools protect CUI throughout its lifecycle and throughout my organization?
There is nothing wrong with file sharing tools, but for CMMC the question comes back to dataflow: can it protect CUI/ITAR throughout its lifecycle?
See the image above: the email/data comes into your environment but doesn’t let you open it on any of your native apps on your phone or laptop – and forget about saving it to a local server or having it move across your network securely.
Microsoft 365 GCC High offers a comprehensive compliant environment. File sharing tools offer one compliant pathway. M365 GCC High is like a fortified city with a fortress wall, secure gates, and security patrol for the entire infrastructure; CUI is even carried around the city inside an armored car.
In contrast, file sharing tools offer one safe house and one safe road in and out of your unfortified, vulnerable city. This house and route are safe, but the problem is, as anyone who has done a scoping assessment will tell you, CUI is more sprawling than that. It doesn’t stay tidily in one of those two places: rest or transit. The CUI rule, along with the DoD DFARS 7012 rule also states that the data must be protected in process. Think about the life of one CUI document: Where did it get created? Where did it come from? Where all will it need to go in its lifecycle?
According to NIST 800-171, everything that CUI touches must be secured. Every link in the chain must be protected because your security posture is only as strong as the weakest link. If CUI leaks out of a secure location anywhere along the way – whether it’s the server, network, endpoint, mobile device – it has ceased to be protected, and you have ceased to be compliant.
If CUI or ITAR spills into your M365 commercial environment without protection, it must be cleaned up. Was it backed up to some other online source? That has to be cleaned up too. Synced with end points? Cleanup. Synced with mobile devices? It must be cleaned up. And the cleanup is extensive.
If 60% of your CUI environment is strong, but the rest is vulnerable, the 60% is irrelevant. The purpose of CMMC is to enforce accountability to eliminate these weak links, and your C3PAO will be looking for them.
If your organization isn’t protecting 100% of your CUI 100% of the time, you will not pass your CMMC Certification.
Juggling Multiple Applications for Compliance
While it’s a good question to ask whether or not a file sharing tool is the right CMMC solution for your company, that isn't the only important question. You also need to ask: Is it the ONLY solution I will need?
One big example of the limited scope of these tools’ security is the lack of endpoint protection.
On PreVeil’s website, they list three limitations, and name its biggest limitation explicitly:
“Vulnerability to Compromised Endpoints: End-to-end encryption relies on the endpoints’ security — the devices used by the sender and recipient — to encrypt and decrypt the data. If either endpoint is compromised through malware, hacking, or physical access, it can undermine the effectiveness of end-to-end encryption. Attackers may gain unauthorized access to decrypted data or intercept information before it gets encrypted. Ensuring the security of endpoints becomes crucial to maintaining the integrity and confidentiality of data.”
Their solution relies upon the security of the endpoint for their product to work, but they do not offer endpoint security. They even give direction on how to solve this problem with other providers.
Microsoft Defender for Endpoint is built into Microsoft 365 GCC High as a unified endpoint platform for preventative protection, post-breach detection, and response. It provides advanced attack detections that are near real-time and actionable, allowing security analysts to gain visibility into the full scope of the breach.
With file sharing tools, expect supplementary applications to be required, more internal work, and more risk assumed by your organization.
3. How much risk am I willing to assume to save money with a “simpler, more affordable” solution?
The DIB is stuck between a rock and a hard place: cost vs. risk. The choice of what CMMC solution provider comes down to a simple question: how much risk are you willing to assume?
PreVeil and other compliance plugins may offer a CMMC solution at a fraction of the cost, but they also can only do a fraction of the things M365 GCC High can and increase your compliance and breach risk considerably.
For more about the cost of CMMC and how to practically prepare your company, check out our webinar below. See the 24-minute mark for more on the Compliance Risk Meter above.
What are the limitations of Microsoft 365 GCC High?
The primary limitation of Microsoft 365 GCC High is its cost. Why is M365 GCC High more expensive than other solutions? Simply put, M365 GCC High, when configured correctly, is the most comprehensive CMMC solution.
M365 GCC High may seem costly, but Microsoft Commercial + all the 3rd party compliance solutions needed can get as expensive as GCC High by itself.
Microsoft 365 GCC High: The Best-in-Class, User-Proof Choice for CMMC Compliance
Microsoft has become the tip of the spear in providing cloud offerings to meet the needs of the DoD and its supply chain. As such, M365 GCC High continues to be the best-in-class when defending US data and keeping the Defense Industrial Base secure.
With CMMC audits coming and the possibility of losing contracts or facing massive fines if your company remains non-compliant, we recommend a priority of risk management and long-term cost-savings.
What’s at Stake? Passing Your CMMC Audit with 100% Confidence
If you want 100% confidence as you approach your CMMC audit, M365 GCC High is the right solution for you.
Fill out the form below and we’ll connect you with one of our CMMC experts to learn whether Microsoft 365 GCC High might the right CMMC solution for your company: