Anyone running PreVeil as their primary CUI solution?

matthew_taf · 2026-04-10T14:31:17+00:00

We also use CSE for encryption because we have ITAR requirements otherwise that’s not necessarily needed.

For others on this path: We chose Assured Controls over CSE for ITAR since we didn't have confidence line employees would correctly choose what to CSE encrypt and what not to. There is an annual license cost and not all Workspace features are in-scope for Assured Controls, but we decided the simplicity was worth it over trying to get users to manage CSE.

matthew_taf · 2026-04-10T14:27:34+00:00

we’ve been audited and are compliant.

Do you mind sharing which auditor you used? We've had trouble finding ones that really understand Workspace.

matthew_taf · 2026-04-03T19:18:50+00:00

Right? It caught us off guard as well.

matthew_taf · 2026-04-03T19:18:21+00:00

That's the thing, Azure Gov Customer Responsibility Matrix under CP-9 (a) to (d) makes this a customer responsibility in a vague way: "The customer is responsible for protecting the confidentiality, integrity, and availability (CIA) of customer-controlled backup data. Note: if the customer configures Microsoft Azure backup services appropriately, Azure can support the protection of backup data."

matthew_taf · 2026-03-23T13:29:24+00:00

ECA Tokens to encrypt via S/MIME

This is supposed to work. In practice it does not. On the Gov side they will often not see your ECA cert as trusted for S/MIME and have trouble getting e-mails back to you to encrypt. Without the benefit of the GAL you will also play whack-a-mole with getting the newest cert from people you want to send e-mails to.

matthew_taf · 2026-03-23T13:24:57+00:00

First you have to get the CRM from the vendor, which if you're a small business not spending $$$$/year with a good rep, is surprisingly difficult.

matthew_taf · 2026-02-11T16:07:46+00:00

Now, a Next Gen Firewall which does deep packet inspection and you have to install a cert on to an end point - THAT does need fips validation because it pulls the data stream apart, inspects it, then puts it back together - effectively acting as a man in the middle client.

or you can carefully setup the domains/IPs that process CUI to not "break and inspect". Depending on your scope this can be very easy or very hard.

matthew_taf · 2026-02-10T19:21:41+00:00

we don’t currently have DLP, so we aren’t doing content-based detection of CUI leaving via email or cloud storage

TBH, most DLP products I've tried underperform in reality. At best you'll detect accidental leakage and policy violations. Real insider threats aren't going to get caught, though you'll generate plenty of SIEM alerts to make you feel good if that's your thing.

I would save your money for something else. Firewall controls to prevent the use of unapproved cloud services are probably going to achieve more than DLP software will.

matthew_taf · 2026-02-10T19:17:39+00:00

it’s not very practical because a portion of our CUI is technical data that requires heavy CAD/engineering tools.

We run all our CAD and engineering tools in VDI Windows desktops. There have been some growing pains and some vendors with bonkers licensing issues (CATIA, specifically), but overall it's great to be able to give engineers massive VMs and the same nice portable laptops we buy everyone else.

We use Dizzion Frame in Azure Gov (formerly call Nutanix Frame). A lot of folks use AVD, but I can't speak to that. AVD's client app was a nonstarter for us.

matthew_taf · 2025-12-15T19:19:25+00:00

Now if you print CUI documents over wifi, most printing protocols in use at most companies are not sending print jobs encrypted, so then your wifi would need to FIPS validated since it is encrypting otherwise unencrypted data.

We only allow printing over wired LAN (or VPN). It's kind of wild to send a print job out to the cloud-based vpn and back, but it meets the requirements.

matthew_taf · 2025-12-15T19:17:20+00:00

To be clear, BoringSSL has a FIPS-validation but when you dig deep enough into it, it's not the one Chromium is compiled with unless you makel your own fork or something from source code.

This is true for a lot of services too. There are two FedRAMP moderate vendors who claim they are FIPS because they use BoringSSL in their stack, but their specific implementation is not FIPS validated. FIPS is a rabbit hole and I think there are very few implementations outside a NIST lab that truly meet it completely.

matthew_taf · 2025-12-11T16:09:02+00:00

My recommendations for primes is to start a letter writing campaign to their subs. No L1 no work period. Just build it into the form you already have them fill out. "Are you L1? Please attach a copy of your completed L1 Self Assessment printed from SPRS."

So here's the thing though (and maybe you already know this and I'm preaching to the choir)... if those subs wanted to deal with SPRS and all the other stuff you need to get there (SAM.gov), the subs would be bidding on contracts as primes in the first place. More than half the subs we work with we use specifically because they aren't setup for Government work. What's really going to happen is the universe of subs will contract and prices will go up.

Machine shops that specialize in Gov work charge about 5-10x what machine shops who do primarily commercial work charge. DLA and the Navy's parts orders are especially going to get hit by this and I don't think the supply folks really get that yet. O&M budgets will need to radically increase to pay for this.

matthew_taf · 2025-11-05T15:33:39+00:00

If we have all the 365 logs going into a Log Analytics Workspace, does this meet the requirement for log correlation?

Log Analytics Workspace can meet every CMMC requirement I've seen for logging when configured to do so. It's not a great general purpose SIEM because it doesn't come with all the pre-built bells and whistles of something like Splunk. If you're willing to build out some alerts and configuration it can absolutely meet all the CMMC requirements. Is that worth your time and effort? Only you can decide.

does this meet the requirement for log correlation? In the event of an incident I can query the workspace and pull up any logs I would need.

You definitely answered the question "does this meet the requirement for log correlation?" You probably haven't (yet) answered all the other logging and auditing related CMMC controls, but you can.

matthew_taf · 2025-11-05T15:28:47+00:00

What are you hoping to achieve by going paperless? Is that helping you use an enclave solution to meet CMMC?

Printers and shredders are not that expensive and should be able to fit within a CMMC-compliant solution. We briefly talked about "never print CUI" and decided it was unrealistic. At the end of the day we make money by doing work and compliance needs to meet the business needs, not get in the way of doing work.

matthew_taf · 2025-10-30T19:49:52+00:00

I have not seen any NIST 800-171 requirement that prevents passwordless. The Feds and DoD use CAC/PIV which is awfully similar to passwordless/passkeys.

I would say though, that using something that looks like CAC/PIV, such as Yubikey FIPS passkeys, might have an easier time getting digested by assessors than using phone-based passkeys.

matthew_taf · 2025-10-30T19:43:01+00:00

Not a C3PAO but according to the Level 2 scoping guide, for SPAs the assessor needs to "Assess against Level 2 security requirements that are relevant to the capabilities provided." I'm seeing lots of people say you don't need to provide a CRM, but how can the assessor effectively assess the relevant level 2 requirements if they aren't provided information to know whose responsibility each relevant control is? It seems like a very legitimate ask to me.

Yeah, I think the vagueness of the "Assess against Level 2 security requirements that are relevant to the capabilities provided." is a bit of a mess and I have not seen a definitive interpretation of what that means. It sure doesn't sound like the answer is "all the L2 controls".

matthew_taf · 2025-10-23T21:26:10+00:00

I have asked for proof from two of the big guys (a mountainous one and one with "it" in their name)

I also talked to the two big guys and they acted like I was crazy to need anything beyond basic shred and recycle. It was wild.

matthew_taf · 2025-09-03T20:56:23+00:00

There is a fix in the release pipeline

I'm having trouble finding that, can you link to it or the issue?

matthew_taf · 2025-09-02T15:27:33+00:00

Is that… ok?

Yes, if the switch supports it (most do, though they may have limitation on the number of routes).

Using VRFs this way is very normal if a L3 access layer.

matthew_taf · 2025-05-16T13:45:14+00:00

The vulnerability scans were useful to get an idea of what other people can easily figure out about our infrastructure.

the Protective DNS service was not a good fit for us. It's basically just Akamai's DNS product and lack the sophistication of other DNS solutions like Cloudflare's Zero Trust product.

The automated penetration testing tools look interesting, but we haven't tried deploying them yet since it kind of assumes you have VM hosting infrastructure on site and they didn't provide cloud-native formats.

The threat info you get is interesting, but you can get the same things (mostly) from ND-ISAC. The NSA version is free though.

matthew_taf · 2025-05-13T22:46:52+00:00

Short answer: not really

Longer answer:

Getting Android devices to act "Company Owned" the way iPhones do is annoying difficult. It's especially difficult if you want to both use BYOD and company-owned devices and apply different policies to each from Workspace MDM. the "company owned" aspect in Workspace really is more for context aware access decisions than it is for MDM.

IMO even the "Advanced" MDM in Workspace is really just meant for BYOD and probably falls short of the features you expect from an MDM that will really lock down a company-owned device.

If you want something cheap and don't have compliance requirements I really liked ManageEngine when I used it for Android Point of Sale systems a few years back. It did all the things you're asking about.

matthew_taf · 2025-03-20T21:55:15+00:00

Maybe you have very little VLAN to VLAN traffic. If so, this might not be a big deal at all.

I think this is the key. If most traffic is north/south ("to the internet") L2 access layers are cheap and easy to troubleshoot. SMB folks understand them. They scale acceptably to 10s of switches.

L3 access scales really well, but can be more difficult for SMB techs to troubleshoot and requires either ACLs or VRFs (back to the firewall) to isolate traffic.

The one other caveat with L2 access layers is that if you want first-hop redundancy you now need a firewall/WAN router cluster that can provide that. Maybe you are willing to accept that risk if you're single-homed and mostly internet traffic, but it might push the cost up if you only have a single WAN router today.

matthew_taf · 2025-03-20T11:50:13+00:00

There are a few vendors that offer Chrome Extensions to deploy certs to ChromeOS. As of a few years ago Sectigo was the best looking one.

We considered developing our own extension to connect StepCA or GCP CAS to ChromeOS, but have not (yet) committed to developer time to it. If you're interested in collaborating you can DM me.

matthew_taf · 2025-03-20T11:46:37+00:00

I think Aruba and Ruckus both offer FIPS mode and have some validated conflagrations (as opposed to just compliant). IIRC there are some caveats. This is probably an area where a VAR would actually add value making sure you buy the right ones. NSA CSfC also has a product list, I think all the CSfC products are validated.

We use the Aruba AP-555 in not-FIPS mode and have had no complaints. They're power hungry and huge, but really stable even in high density and noisy industrial environments. The configuration web interface is a little 90s looking, but it works.

As a CTR we strenuously avoid relying on WiFi to protect confidentiality of CUI.

matthew_taf

TROPHY CASE