The Regola Reference Architecture – PreVeil Option is a blueprint for creating an Information System with PreVeil Gov Community, Azure Commercial, Windows and/or Mac endpoints with support for mobile phones and optional Microsoft 365.
Is the Regola Cyber Reference Architecture CMMC-compliant?
The architecture and implementation are designed for CMMC Level 2 and NIST 800-171R2 requirements, including External Service Provider requirements in the proposed CMMC Rule, and any future requirements for FedRAMP Moderate (or FedRAMP Moderate equivalence) for Security Protection Assets. The design is based upon the architecture and implementation that Regola Cyber presented during their own C3PAO CMMC Level 2 assessment, which was passed with a 100% in four (4) days without a POAM window, on our 1st attempt under CMMC 2.0.
Who should use the Regola Cyber Reference Architecture?
The Regola Cyber Reference Architecture is a functional enclave which is rated for CUI, ITAR, and CMMC Level 2 with endpoints that can be treated as CUI assets for typical workflows. Laptops can be used in office or remotely, so whether your company is fully on-site, hybrid, or work from home, our solution meets your needs. We also have expansion options if you want to onboard manufacturing sites, campus locations, or data center locations. With the expansion option, you can interact with network printers, specialized equipment, or access other sites from within the boundary of the enclave, irrespective of whether users are remote or at one of the locations that provide authenticated enclave access.
The typical use case is an organization that wants to remain in Office 365 Commercial, Azure Commercial, or other commercial cloud providers without migrating the majority of their content to a new cloud. A migration is a significant undertaking, and some companies do not want to manage or fund a migration project.
Support for MSPs
We also offer an MSP version of our Reference Architecture that includes an MSP Customer SSP provisioned for each end-customer and a CRM from the MSP for the customer. The MSP can operate our Reference Architecture as a multi-tenant solution to provide a more accessible cost for end customers.
What is included in the Regola Cyber Reference Architecture – PreVeil Option?
- MFA: Solution Licensing and build/integration guide for MFA.
- NGFW: Specifications, settings, STIG baseline, build guide, and credits towards the purchase of software-based firewalls (Azure, AWS, or VMWare deployment) or hardware appliances for your sites, operating in FIPS mode.
- VPN: integration guide for remote access VPN and site-to-site VPNs (FIPS validated to cover the broadest range of use cases).
- SEIM logging: Specifications and SEIM rules, including for integrated components, such as NGFW logs and MFA solution (build guide of how to configure and which rules to create in SEIM)
- PreVeil Gov Community: specifications and settings
- Microsoft 365: Specifications and settings (if used)
- Endpoints (Windows and Mac): build guide, configuration baselines, and hardening settings. Versions of Windows and Mac that can be used are dependent on NIST CMVP (FIPS) certificates for the major version of the operating system being contemplated. We can provide additional guidance based on customer’s risk tolerance and planned assessment date, but will provide documentation on the most conservative approach that enables patching and runs a major version that is FIPS validated.
- Architecture Diagrams: overall network architecture diagram, MFA data flow, audit logging flow, CUI flow
- System Security Plan pre-filled and ready for the end customer’s customization, including CRM statements from Cloud Service Providers (CSP) to enable assessor to quickly and easily see how the Customer Responsibility is being addressed, as the implementation immediately follows the “Customer Responsibility”.
- POAMs: pre-filled for common items such as patching a minor version beyond the FIPS certificate validated minor version.
- MSP Customer System Security Plan: pre-filled and ready for the end customer’s customization (significantly reduced scope of responsibility, as MSP manages most functions). Includes ESP content (e.g. MSP operating Regola Cyber Reference Architecture) that references ESP CRM to enable assessor to quickly and easily see how the Customer Responsibility is being addressed, as the implementation immediately follows the “Customer Responsibility”.
- MSP CRM: Detailed Customer Responsibility Matrix at the assessment objective level for use by MSP customer.
- Policy and Procedure documents and templates pre-filled and ready for the customer’s customization
- Access to Microsoft Teams Channel: Enables communication with Regola Cyber SMEs to address any questions on instructions, or solicit feedback.
- Release Notices: Regola Cyber validates new versions of NGFW in FIPS mode and advises customers that the version has been tested and suggests any configuration changes that may be needed. Customers should independently review the vendor release notes as part of their CMMC compliance program, but Regola’s testing is an added assurance that testing has been performed so that the customers are not “experimenting” in their production networks with a new release.
What is not included in the Regola Cyber Reference Architecture – PreVeil Option?
You will need to supply your own laptops (we make recommendations for known good configurations), phones, Microsoft licenses, and PreVeil licenses (unless you use Regola Cyber as your PreVeil reseller).
You will need a system administrator or managed service provider that is familiar with Microsoft Azure, PreVeil, and endpoint administration. We are building out a network of Preferred Managed Service Providers that are running our Reference Architecture so that you can access our Reference Architecture without building an entire environment yourself, as you can become a customer of the MSP that can onboard you into a multi-tenant or single tenant (more expensive) environment.
Is the Regola Cyber Reference Architecture a “bare minimum” solution?
No, and we do not claim to be. Our philosophy is based on multi-layered security and zero-trust to provide a foundation which can support future changes to CMMC L2, such as NIST 800-171R3, and possible FedRAMP Moderate (or FedRAMP Moderate equivalence) for Security Protection Data. The past few years have shown an evolution on interpretation of various controls, and C3PAO and JSVA assessments becoming more stringent; we expect this trend to continue as assessors become more experienced. We anticipated this, and designed accordingly so that you don’t have to expend significant energy worrying whether your solution will meet the latest requirements messaged as “insights” from the LinkedIn CMMC community. Feel free to browse our experience and education–our team has years of experience with Federal Information Systems, NIST 800-171, FedRAMP and government procurement.
Our approach also reduces the chance of assessment failure, or lack of assessment readiness at a critical time for a DIB company. Presently, there is uncertainty in the CMMC ecosystem regarding whether various scenarios would be acceptable when assessed, and we aim to err on the side of caution and take the conservative approach. At Regola Cyber, we refuse to “chase the bottom” because that strategy presents an unrealistically low cost estimate for DIB companies and presents a higher risk of compliance and cybersecurity incidents. Since we primarily serve MSPs and larger DIB companies, we will not license a solution that is arguably barely compliant and goes against the spirit of the NIST 800-171R2 requirements and requires customers to play “catch-up” before they are assessment ready. For consulting clients that are looking for a consulting opinion, we will provide such guidance on “bare minimum,” while outlining the assessment risk with these approaches.
Can my company customize the Regola Cyber Reference Architecture?
Of course, customers are free to license our reference implementation, and adjust it as they see fit. We can review proposed changes at T&M rates if you would like consultation from an assessment and risk management perspective before you implement any deviations from the architecture.