One of the most common questions that we get is about NIST 800-171 or CMMC technology vendors. Which technologies are "approved" for CMMC?
The answer, of course, is none of them. Since widespread audits haven't started, there's no way to tell exactly which vendors will pass muster.
In the course of work doing CMMC consulting and coaching, though, we've picked up a few helpful nuggets about CMMC technology vendors.
We're writing this article to share what we've learned. Please understand that this is our OPINION, not any kind of "approved vendor list."
Please also understand that we focus on working with companies with fewer than 200 employees. The list below represents solutions that work for and are within the reach of a typical small or midsized business. Larger companies will have more options available to them.
And we'd love to keep learning from you! If you have questions or your own tools to suggest, please drop them in the comments below. This is an emerging field, and anything we can share will make all of our lives easier.
So, let's dive in to our NIST 800-171 / CMMC technology vendors list:
Microsoft 365 is the only game in town, but only Microsoft 365 GCC High is suitable for CUI.
A few things you should know about GCC High:
If you want an introduction to one GCC High reseller who's been doing a great job for our clients, contact us.
If you just need to share files with outside parties, or you moved to GCC High and need to share files with outside partners, Cocoon Data is worth a look.
If you just need a safe way to share files and send emails (and don't need any of the other M365 features), Preveil is worth a look.
We've had success with this for companies who want to create a secure enclave to handle CUI, as a subset of the larger company.
Hoo-boy, this is a big topic. Easily one of the two biggest technology projects needed for compliance with CMMC and NIST 800-171.
There is no one solution that's right for every company, and a lot has to do with what baseline configuration standards you pick. Here are a few options that we've seen work:
It's important to note that neither Azure Active Directory nor Device Manager have come close to supporting the level of GPO required for either STIG or CIS. We've seen a lot of IT service providers assume they'll be able to meet the requirements with cloud-only technology, only to be disappointed.
Most companies are sticking with BitLocker. Not sure yet whether BitLocker overlays like Beachhead are compliant or not, so do your due diligence if you're thinking of going that route.
There's a LOT of ambiguity around this. From talking to other CMMC practitioners, what we've gathered is:
Most companies use their endpoint protection solution.
Most companies are using firewall-based VPN with MFA and detailed logging enabled.
Most companies are using Microsoft Device Manager in GCC High.
This is another big topic, and big project. Here's what we've seen:
This tends to be one of the more expensive areas of CMMC and NIST compliance. We've generally seen two categories of vendors that can help you with this:
There are two parts to this...
The only system we've seen in this category is LobbyGuard, though many companies end up doing this manually on paper. There is no requirement to have a system, just a documented, auditable process.
Most companies end up using Microsoft Defender add-on inside of Microsoft 365 GCC High.
Most of the other typical players (Proofpoint Essentials, Reflexion, Barracuda, Ironscales) aren't set up to handle CUI, as far as we know.
If you still want to explore these tools, make sure you get it in writing that the vendor is comfortable handling CUI, has plans to become CMMC compliant themselves, and at a minimum has a SOC 2 audit that you can review.
We use, recommend, and help clients set up Tenable Nessus. It doesn't hurt that this product has also been used by the DoD for vulnerability scanning in the past. It also helps to audit and verify compliance with CIS or STIG as well.
Be really careful with "lesser" vulnerability scanners that target small and medium businesses. Many of them do not have suitable security controls in place -- I worry they could lead to another Kaseya-style event. The reputable names in this space are Tenable, Qualys, and Rapid7. Be forewarned -- none of these vendors are particularly friendly or easy for small businesses.
We've kissed a lot of frogs in this area, and none of them are ready for prime time. They all sound great from a marketing perspective, but in practice they will significantly slow you down. For now, you'll be better off managing your NIST 800-171/CMMC gap assessments and POAM in spreadsheets, your SSP in documents, and your evidence for audit in a carefully organized set of folders. We'll update this section if we find tools that are more usable and actually save time.
Use the comments below to ask questions or add your own suggestions! This is an emerging field, and anything we can share will make all of our lives easier.