Possible Technology Vendors for CMMC / NIST 800-171

One of the most common questions that we get is about NIST 800-171 or CMMC technology vendors. Which technologies are "approved" for CMMC?

The answer, of course, is none of them. Since widespread audits haven't started, there's no way to tell exactly which vendors will pass muster.

In the course of work doing CMMC consulting and coaching, though, we've picked up a few helpful nuggets about CMMC technology vendors. 

We're writing this article to share what we've learned. Please understand that this is our OPINION, not any kind of "approved vendor list."

Please also understand that we focus on working with companies with fewer than 200 employees. The list below represents solutions that work for and are within the reach of a typical small or midsized business. Larger companies will have more options available to them.

And we'd love to keep learning from you! If you have questions or your own tools to suggest, please drop them in the comments below. This is an emerging field, and anything we can share will make all of our lives easier.

So, let's dive in to our NIST 800-171 / CMMC technology vendors list:

Productivity Suite 

Microsoft 365 is the only game in town, but only Microsoft 365 GCC High is suitable for CUI.

A few things you should know about GCC High:

• It can only be purchased through a few resellers
• It takes longer to provision than 365 Commercial
• It's only sold with annual contracts
• It can only be sold to companies who are cleared to use it
• A few things are very different from 365 Commercial. For example, external file sharing just doesn't work, at all.

If you want an introduction to one GCC High reseller who's been doing a great job for our clients, contact us.  

File Sharing

If you just need to share files with outside parties, or you moved to GCC High and need to share files with outside partners, Cocoon Data is worth a look.

File Sharing and Secure Email

If you just need a safe way to share files and send emails (and don't need any of the other M365 features), Preveil is worth a look.

We've had success with this for companies who want to create a secure enclave to handle CUI, as a subset of the larger company.  

Computer configuration management

Hoo-boy, this is a big topic. Easily one of the two biggest technology projects needed for compliance with CMMC and NIST 800-171.

There is no one solution that's right for every company, and a lot has to do with what baseline configuration standards you pick. Here are a few options that we've seen work:

If you choose STIG as your standard:

• SteelCloud, if you want the enforcement automated for you.
• We've seen some small companies do their own Active Directory Group Policy Object (GPO) deployments, though they haven't yet gotten to the point where they need to keep them updated with STIG changes.

If you choose CIS as your standard:

• The CIS organization sells Active Directory deployment kits that help to automate GPO deployment, as part of their annual subscription.
• Again, manual GPO.

It's important to note that neither Azure Active Directory nor Device Manager have come close to supporting the level of GPO required for either STIG or CIS.  We've seen a lot of IT service providers assume they'll be able to meet the requirements with cloud-only technology, only to be disappointed.  

Device Encryption

Most companies are sticking with BitLocker. Not sure yet whether BitLocker overlays like Beachhead are compliant or not, so do your due diligence if you're thinking of going that route.

Endpoint Protection

There's a LOT of ambiguity around this. From talking to other CMMC practitioners, what we've gathered is:

• It will probably be looked upon poorly if you use foreign-owned tools (e.g., Bitdefender (Romania), Kaspersky (Russia)).
• It will probably be looked upon kindly if you use a vendor listed on the FedRamp marketplace (e.g., CrowdStrike, McAfee, SentinelOne).

USB Lockdown

Most companies use their endpoint protection solution.

Firewalls

Must be FIPS-validated, per the online database.

Remote Access

Most companies are using firewall-based VPN with MFA and detailed logging enabled.

Wireless access points

Must be FIPS-validated, per the online database.

Mobile device management

Most companies are using Microsoft Device Manager in GCC High.

Logging and log monitoring (Audit & Accountability)

This is another big topic, and big project. Here's what we've seen:

• Configuring what logs are collected -- should be addressed by STIG or CIS.  Don't assume the right logs are being collected from hosts unless you've explicitly configured them to do so.  We coach our clients through this. 
• Loading logs to a SIEM -- most companies outsource this (see below).  If you have a strong technical team, you can also use open source tools like Elastic, Graylog, or Wazuh, though these are pretty significant projects.  (BTW, we know a great Wazuh guy -- contact us if you need an introduction)
• Monitoring logs -- again, mostly outsourced (see below). The alternative is to train internal team members on what all of the logs mean, and how to monitor them for malicious or suspicious behavior.  This is a BIG project if you don't have this skillset in house.  

Outsourced Log Monitoring / Managed Detection & Response (MDR)

This tends to be one of the more expensive areas of CMMC and NIST compliance.  We've generally seen two categories of vendors that can help you with this:

• Direct-Purchase Managed Detection and Response -- there are quite a few out there, and they all work similarly. Typically their prices start in the five figures per year for even the smallest of companies. Here's a list of some to consider.
• Reseller-Purchase Managed Detection and Response -- there are a handful of vendors in this space who are providing a similar MDR service but are focused on working with small businesses, and sell through IT service providers.  In general, these services are newer so are less mature.  We've tested a number of them, and most of them are not ready for true CMMC compliance.  We're not ready to go on record yet to recommend one specific vendor, but we have found one vendor who meets some (though not all) of the CMMC requirements and does a great job.  We're happy to talk to you about our experiences.  In the meantime, buyer beware and do your due diligence.  

Security and Awareness Training

There are two parts to this...

• General awareness training -- lots of ways to skin this cat.
• Specific CMMC training / job skills training -- no way around this, you're going to have to create specific training for your staff about how YOU handle CUI and CMMC. No great tools for this, just need to train people and document that you trained them.

Visitor logging and badges

The only system we've seen in this category is LobbyGuard, though many companies end up doing this manually on paper. There is no requirement to have a system, just a documented, auditable process.

Inbound email security

Most companies end up using Microsoft Defender add-on inside of Microsoft 365 GCC High.

Most of the other typical players (Proofpoint Essentials, Reflexion, Barracuda, Ironscales) aren't set up to handle CUI, as far as we know.

If you still want to explore these tools, make sure you get it in writing that the vendor is comfortable handling CUI, has plans to become CMMC compliant themselves, and at a minimum has a SOC 2 audit that you can review.

Vulnerability scanning

We use, recommend, and help clients set up Tenable Nessus. It doesn't hurt that this product has also been used by the DoD for vulnerability scanning in the past.  It also helps to audit and verify compliance with CIS or STIG as well.

Be really careful with "lesser" vulnerability scanners that target small and medium businesses. Many of them do not have suitable security controls in place -- I worry they could lead to another Kaseya-style event.  The reputable names in this space are Tenable, Qualys, and Rapid7.  Be forewarned -- none of these vendors are particularly friendly or easy for small businesses.  

DNS Filtering

Since these are really just monitoring DNS lookups and don't handle any CUI, we think any of the major players (DNSFilter, Cisco Umbrella, etc.) should be fine.

Gap Assessment and Document Management Tools

We've kissed a lot of frogs in this area, and none of them are ready for prime time.  They all sound great from a marketing perspective, but in practice they will significantly slow you down.  For now, you'll be better off managing your NIST 800-171/CMMC gap assessments and POAM in spreadsheets, your SSP in documents, and your evidence for audit in a carefully organized set of folders.  We'll update this section if we find tools that are more usable and actually save time.  

What do you think of our CMMC technology vendors list?

Use the comments below to ask questions or add your own suggestions! This is an emerging field, and anything we can share will make all of our lives easier.