The Regola Cyber Reference Architecture – GCC High Option is a blueprint for creating an Information System with GCC High, Azure Government, Windows and/or Mac endpoints, and optional support for mobile phones.
Is the Regola Cyber Reference Architecture CMMC-compliant?
The architecture and implementation are designed for CMMC Level 2 and NIST 800-171R2 requirements, including External Service Provider requirements in the proposed CMMC Rule. What’s more, our architecture already addresses any future requirements for FedRAMP Moderate (or FedRAMP Moderate equivalence) for Security Protection Assets. The design is based upon the core network and tool stack architecture that Regola Cyber presented during their own C3PAO CMMC Level 2 assessment, which was passed with a 100% in four (4) days without a POAM window, on our 1st attempt under CMMC 2.0. Although PreVeil was used in our C3PAO CMMC L2 assessment instead of GCC High, the other elements of the architecture remain essentially unchanged.
Who should use the Regola Cyber Reference Architecture?
The Regola Cyber Reference Architecture is a functional enclave which is rated for CUI, ITAR, and CMMC Level 2 with endpoints that can be treated as CUI assets for typical workflows. Laptops can be used in office or remotely, so whether your company is fully on-site, hybrid, or work from home, our solution meets your needs. We also have expansion options if you want to onboard manufacturing sites, campus locations, or data center locations. With the expansion option, you can interact with network printers, specialized equipment, or access other sites from within the boundary of the enclave, irrespective of whether users are remote or at one of the locations that provide authenticated enclave access.
The typical use case is an organization that wants to use a GCC High environment, Azure Government, with potential migration of data into the GCC High environment.
Support for MSPs
We also offer an MSP version of our Reference Architecture that includes an MSP Customer SSP provisioned for each end-customer and a CRM from the MSP for the customer. The MSP can operate our Reference Architecture as a multi-tenant solution to provide a more accessible cost for end customers.
What is included in the Regola Cyber Reference Architecture – GCC High Option?
- MFA: Solution Licensing and build/integration guide for MFA.
- NGFW: Specifications, settings, STIG baseline, build guide, and credits towards the purchase of software-based firewalls (Azure, AWS, or VMWare deployment) or hardware appliances for your sites, operating in FIPS mode.
- VPN: integration guide for remote access VPN and site-to-site VPNs (FIPS-validated to cover the broadest range of use cases).
- SEIM logging: Specifications and SEIM rules, including for integrated components, such as NGFW logs and MFA solution (build guide of how to configure and which rules to create in SEIM)
- GCC High: specifications and settings
- EDR: specifications and settings
- Endpoints (Windows and Mac): build guide, configuration baselines, and hardening settings. Versions of Windows and Mac that can be used are dependent on NIST CMVP (FIPS) certificates for the major version of the operating system being contemplated. We can provide additional guidance based on customer’s risk tolerance and planned assessment date, but will provide documentation on the most conservative approach that enables patching and runs a major version that is FIPS validated.
- Architecture Diagrams: overall network architecture diagram, MFA data flow, audit logging flow, CUI flow
- System Security Plan pre-filled and ready for the end customer’s customization, including CRM statements from Cloud Service Providers (CSP) to enable assessor to quickly and easily see how the Customer Responsibility is being addressed, as the implementation immediately follows the “Customer Responsibility”.
- POAMs: pre-filled for common items such as patching a minor version beyond the FIPS certificate validated minor version.
- MSP Customer System Security Plan: pre-filled and ready for the end customer’s customization (significantly reduced scope of responsibility, as MSP manages most functions). Includes ESP content (e.g. MSP operating Regola Cyber Reference Architecture) that references ESP CRM to enable assessor to quickly and easily see how the Customer Responsibility is being addressed, as the implementation immediately follows the “Customer Responsibility”.
- MSP CRM: Detailed Customer Responsibility Matrix at the assessment objective level for use by MSP customer.
- Policy and Procedure documents and templates pre-filled and ready for the customer’s customization
- Access to Microsoft Teams Channel: Enables communication with Regola Cyber SMEs to address any questions on instructions or to solicit feedback.
- Release Notices: Regola Cyber validates new versions of NGFW in FIPS mode and advises customers that the version has been tested and suggests any configuration changes that may be needed. Customers should independently review the vendor release notes as part of their CMMC compliance program, but Regola’s testing is an added assurance that testing has been performed so that the customers are not “experimenting” in their production networks with a new release.
What is not included in the Regola Cyber Reference Architecture – GCC High Option?
You will need to supply your own laptops (we make recommendations for known good configurations), phones, Microsoft licenses, Azure subscription.
You will need a system administrator or managed service provider that is familiar with Microsoft Azure, Office 365 (preferably previous GCC High experience), and endpoint administration. We are building out a network of Preferred Managed Service Providers that are running our Reference Architecture so that you can access our Reference Architecture without building an entire environment yourself, as you can become a customer of the MSP that can onboard you into a multi-tenant (less expensive) or single tenant (more expensive) environment.
Is the Regola Cyber Reference Architecture a “bare minimum” solution?
No, and we do not claim to be. Our philosophy is based on multi-layered security and zero-trust to provide a foundation which can support future changes to CMMC L2, such as NIST 800-171R3, and possible FedRAMP Moderate (or FedRAMP Moderate equivalence) for Security Protection Data. The past few years have shown an evolution on interpretation of various controls, and C3PAO and JSVA assessments becoming more stringent; we expect this trend to continue as assessors become more experienced. We anticipated this, and designed accordingly so that you don’t have to expend significant energy worrying whether your solution will meet the latest requirements messaged as “insights” from the LinkedIn CMMC community. Feel free to browse our experience and education–our team has years of experience with Federal Information Systems, NIST 800-171, FedRAMP, and government procurement.
Our approach also reduces the chance of assessment failure, or lack of assessment readiness at a critical time for a DIB company. Presently, there is uncertainty in the CMMC ecosystem regarding whether various scenarios would be acceptable when assessed, and we aim to err on the side of caution and take the conservative approach. At Regola Cyber, we refuse to “chase the bottom” because that strategy presents an unrealistically low cost estimate for DIB companies and presents a higher risk of compliance and cybersecurity incidents. Since we primarily serve MSPs and larger DIB companies, we will not license a solution that is arguably barely compliant and goes against the spirit of the NIST 800-171R2 requirements and requires customers to play “catch-up” before they are assessment ready. For consulting clients that are looking for a consulting opinion, we will provide such guidance on “bare minimum,” while outlining the assessment risk with these approaches.
Can my company customize the Regola Cyber Reference Architecture?
Of course, customers are free to license our reference implementation, and adjust it as they see fit. We can review proposed changes at T&M rates if you would like consultation from an assessment and risk management perspective before you implement any deviations from the architecture.
As noted on other pages, we will NOT perform consulting and assessment of the same organization, and we consider the provisioning of our reference architecture (including sub-licensing to MSP customers) to be consulting services.