Introduction by Kyle Lai
President and CISO of KLC Consulting, Certified CMMC Professional
We’re always looking for affordable CMMC Software solutions to ease compliance for our clients. And Anchor makes it easy to tackle some of the most challenging CMMC controls when companies must handle CUI ‘on-premises’ (e.g., Aerospace, Manufacturers, Machine Shops).
Anchor has accomplished something truly novel in data security that the prominent technology giants have tried unsuccessfully to do.
No, we don’t sell Anchor licenses, in case you’re wondering. But we enthusiastically recommend Anchor as a key component in the CMMC compliance programs we architect for our clients”
- Anchored CUI is not CUI, it is self-protecting – regardless of where it resides.
- No need for a CUI Enclave: You don’t have to physically or logically segregate it.
- Streamlined Incident Response: A system breach IS NOT a Data Breach because Anchored CUI is self-protecting ciphertext
- Implementation is fast and simple. No need to change your business processes
- Inexpensive: $192/person per year! (minimum of 10 people)
Discussion Transcript[Kelly]: Hello, my name is Kelly Hynes-McDermott of Hynes Communications and I’m excited to be here today with Kyle Lai and Adam Bowen. Today we talk about how technology can be a solution to protect CUI – Controlled Unclassified Information and other sensitive files. So, welcome guys! First, I’d like to introduce our experts: Adam Bowen Heads Sales and Growth at Anchor, and Kyle Lai serves as President and CISO at KLC Consulting.
DoDI 5200.48 Requires the Protection of CUI
To set the table: CUI requires protection as sensitive information. That is the bottom line here. And today we talk about ways that technology can help to do just that. Just as a quick aside, the loss of aggregated CUI represents one of the most significant risks in National Security. And not protecting it impacts the lives of military service members. I mean this is how deep this goes. So, the stakes are high in protecting CUI. Let’s talk today about how technology can help. Let’s begin with Kyle. So, Kyle what do you see as the challenges for handling CUI and CMMC compliance today.
The Crucial Importance of Accurate CUI Scope[Kyle]: Yeah, right now, the biggest thing is about scope because a lot of time we don’t know what CUI is. Oftentimes, people have CUI and are uncertain about how to handle it. I think a lot of confusion exists about CUI handling. The scope is very important. It is important to first understand scope when discussing CUI. Next, understand how to handle CUI. If you don’t know what to do, get outside help. Finally, make sure you have top management support. When you don’t have support, you lack the budget needed to implement the proper controls for handling CUI. So, these are the three biggest challenges right now that I can see. [Kelly]: Great, yeah, all good points. Adam what challenges do you see from your end?
The CMMC Compliance Challenges Anchor Sees[Adam]: I mean certainly all the things that that Kyle said for sure. But if I didn’t look at, some of them just don’t even know where to start. Perhaps they don’t even know what scope is right. So, for example, I deal sometimes with companies that are just five people. My mom-and-pop company specialty company, maybe one of three specialized companies in the country that knows how to anodize tank bolts. Right, and so, that’s all they do. , Now they have this requirement on there. They don’t even know where to start; like what’s an assessment. What’s scope. I have everything, how do I segment.
CMMC Compliance Overwhelmed Anchor Customers
It can be overwhelming. You become paralyzed in fear and can’t start anything. That’s where Kyle said outside help is a big benefit. But of course, cost paralyzes them too. Like, oh my gosh, what would that be. So, it is really a hard spot for some smaller DIB Defense Industrial Base customers that might turnover like maybe a few million dollars in revenue a year.
And then a six-figure cost faces them – perhaps you know in their mind, six-figure cost to try and become compliant. And they analyze: do I even just get out of this entirely, right? So, that’s a very real thing. And then also too, it’s just as you’re introducing this stuff, you know, these mom-and-pop companies have been doing the doing it the same way for 60, 70, years, perhaps you know, it’s a generational thing. So, perhaps they’re
it the same way their grandfather, you know, did it back in the day: taking bolt by bolt and hand dipping it, you know, anodizing it or what have you.
The Wrong CMMC Certification Software Breaks Business Workflow
But so, introducing new technology can oftentimes means breaking like the workflow of business. You can’t do things the same way anymore. And so, you know, again trying to teach Old Dogs new tricks, that’s something that very, uh especially in the DIB I feel, uh they’re someone that’s been doing a lot of things the same way for Generations, if not decades. Their process really hasn’t changed too much. That can be big challenges for them becoming you know, adapting to these Herculean requirements that are being put on them, so.
CMMC Compliance Jargon Overwhelms Customers[Kelly]: Right. And to your point, or both your points, is that this paralysis sets in because people get so, overwhelmed with the glossary of terms: what is scope? What do I need to do first? How do I implement this into our system? I have to learn new tricks. So, for a lot of folks it’s easier just to put the whole thing off and wait until the pain point gets so, great that you’re forced to do something.
We share some tips with folks on what they can do today to help streamline things and lead you down the path to CMMC compliance and greater security. These are all really good points. Kyle, so, we hear about data breaches and system compromises on the news. Every day, we hear about another data breach. Why does this keep happening?
Why are Cyber Breaches So Pervasive[Kyle]: Attackers – they are getting more and more sophisticated. And without knowing what they are up to these days, I think it will be hard for you to protect yourself. So, there’s a lack of awareness from the defender’s point of view on what are some of the latest tactics implemented by the Cyber attackers, the Cyber criminals, right. Once you know that, you have a little bit better understanding. Then you can implement the proper controls.
CMMC Compliance Personnel Need Specialized Skill Sets
But if you’re talking about the proper controls, you have to talk about the skill sets, right. That in turn, it requires. It’s not cheap to implement cyber security. And it’s not easy to get the right skill set or have people trained up with the right skill set in-house. So, sometimes you do need to, you know, have a budget to hire the right people to do the job, right. Sometimes it includes some outside help.
But the budgeting, it is a challenge. However, you need to prioritize. For example, Access Control, or some Two-Factor Authentication, or just some Endpoint Protection. Some of these basic controls, basic foundational controls that you want to put in place to defend yourself, right. Attackers become sophisticated. So, it’s not “IF”, it’s “WHEN” you’re attacked. So, you better prepare yourself and put all the fundamental technologies and tools together.
The need to Prioritize CMMC Compliance Programs[Kelly]: Mm-hmm, I like what you said about prioritizing, you know, and again, it gets back to the point of – you have to do it, but you sometimes have to start small, right. And you know you’ve got to deal with these things. So, if you prioritize it seems less overwhelming and more manageable to get started in this process. And also, when it comes to CUI, because there are fewer controls over CUI compared to classified information for instance, CUI is a target for malicious actors searching for weak links every day.
This is, kind of their go-to spot because there are fewer controls over CUI. So, it makes it easier for the Bad actors to infiltrate, underscoring the fact that we have to keep putting these controls in place and these protections in place. So, Kyle, what about an example of a client where they had a data breach? And as we try to get our arms around this in the real world, what does this look like? Can you share an example of that?
Kyle Discusses Recent Client Cyber Attacks[Kyle]: Sure yeah, I’ll give you a couple of examples. So, there are more and more phishing – spear phishing attacks through third-party suppliers. And the reason is that for an attacker to attack some of the bigger companies it is very difficult because the large companies, they do have very good protection. However, they do trust their suppliers. They have subcontractors.
So, why don’t they just attack the subcontractors. Once they attack the subcontractors, their email systems for example, that’s what we saw mostly. Once they attack and compromise their suppliers email systems, they will use that supplier – their subcontractor – to send out a phishing email. For example, send out an invoice: hey we have a problem with this invoice and here is the invoice file, using this trusted email address, they send it to the prime contractor, right.
Vulnerability Comes Through Trusted Supplier Breach
And say: Here’s a problem. Then without them, you know thinking too much, some of the emails with invoice will be opened by the prime contractor’s employees. And suddenly these Prime contractors will get compromised, you know. And once their email system is compromised then they can get on to other systems that might receive ransomware, or files are stolen. So, that is something that we see more and more with our, with our customers. They don’t get compromised by the attacker directly, but they get compromised by an attacker attacking their subcontractors and they got to them.
Recent Microsoft Exchange Server Vulnerabilities
And another one is, there was a Microsoft Exchange problem uh just not too long ago. Our customer got compromised because they were late to patch their Microsoft Exchange Server. They were only late by a couple days but that was too late for them, yeah. Because once you have the exploit code published attackers are all going to jump on them start attacking using the exploit code.
And they were only two days, a couple of days late on patching. Because they think they had a week. But attackers started attacking right away. They were, they got compromised. And once they got compromised, we had to investigate what was going on with a server, what is going on with their Network. They monitor their malicious activities on their network, right. And we had to ask them to rebuild their servers. So, as you can see there are a lot of activities that have to happen. You know, investigation, forensics, and then remediation recovery.
So, there is a lot that must be done after you have a compromise. And on top of that you don’t know if there was sensitive information that was stolen. Then you must report to all the authorities and your customers, right. So, these are some things that are real that we must deal with for our customers. So, if there are more protections and more controls you can put onto your systems, your networks, the better.
Cyber Breaches Disrupt Entire Business Operations[Kelly]: Right. I mean, you can see how this could really stop a company in its tracks you know, from a – it gets very costly. They basically can’t function as a business for a while. It takes time to remediate and to put the right controls in place. And this just compounds it when you don’t have the protection in place at the right time. And stay vigilant about that. Those are all really good points. Bowen what about you any data breach stories you want to share?
Adam Discusses Recent Client Cyber Attack[Adam]: There’s one that always sticks out in my mind because it was almost like a “written for movie” tale right. The sequence comes out like, just there’s a terrible obvious movie plot. But I started talking to a manufacturer at one point, they’re interested in talking to us about what we do Etc.
They’re already on their CMMC Journey and you know, they said: “Hey look we’re pretty much, we’re good. We have kind of generally, we have all the things in there. Anchor CMMC Certification Software might be a nice addition but we’re pretty much, we’re finishing our CMMC compliance stuff. We just have a couple little things left to do and we’ll be done um but we have all the things you know all the protections you know anti-phishing stuff, all that stuff.”
Well sometime, we start talking to them within a couple, couple of months. We connected with them again. And what had happened was, they’d actually got compromised via some of the methods that Kyle has already spoken about in that, in that case. But in their case, they had a system that was compromised and one of the systems that was compromised was an engineer’s laptop that they used to download files that flow down from the Bigs.
Prime DoD Customer Affected
So, they downloaded that, a package that contained CUI. CAD designs PDFs and all that stuff. They downloaded it to this laptop. And then what they generally do is – they take it and upload it to their MRP system. A secured system that they used to store all this CUI. Control Access to that system was compromised. And so, when that system was compromised, even though it only existed on that system for a short period of time, that compromised system – the data was exfiltrated off of that system and out.
It was published in the public sphere. So, you talk about that. So, not only, they found out they had a system breach they didn’t they didn’t know about, right. They found they had a system breach, but they didn’t know what was leaked because as Kyle said, that forensics like that’s like nigh impossible. It takes an army of people. And then how do you know what file shares and things were accessed. You simply don’t have that kind of logging and ability today generally. And so, but they found out because it was published in the public sphere. But guess who else found out?
The Department of Justice Calls!
The Department of Justice! And so, when I got on the phone with them, they actually contacted me, it’s like: “hey after I’m done doing these DOJ interviews for the next few weeks like I want to pick up the conversations um about Anchor.” But that was a big mess for them. Obviously, they don’t enjoy talking to the Department of Justice about that stuff. It cost – it was very costly for them in that breach to figure out.
Then of course they had to spend a lot of time and energy figuring out, well, what else could have possibly been affected and taken toll, so. When, once they get into one thing, we all think about – oh they hacked a system.
But it’s all the collateral damage that goes into that, really. I think there’s a metric: with an event like this, most small businesses go out of business within six months, I think the statistic still rings true. But thankfully they’re a little bit larger. And of course, it wasn’t a catastrophic failure for them. You know that’s because they have some deeper pockets. And a lot of small businesses don’t have, you know, six figures to spend on an incident response.
Cascading Effect of Cyber Breaches[Kelly]: Right. You’re speaking to that cascading effect, right. You know you had started off by saying it was just the little things they needed to button up before they went on to the next step. And the little things unbeknownst to them, had this cascading effect that not only affected their business but also you must think about the impact on brand reputation. You know, this was shared publicly in the public eye; that they had this breach.
That kind of sends a shock wave to some of their customers to say, hmm, you know, are they, do they have everything buttoned up? You know you have a little bit of brand reputation that goes along with that too. It takes a while to recover that that trust and that loyalty from your customers when something like that happens. So, um yeah that’s a, that’s a good story to share. How could this have been different if they had the right technology in place like Anchor CMMC Software for instance?
The Difference Anchor CMMC Software Makes[Adam]: Sure. So, like, that’s kind of why he reached out. Like they knew, like they could say, we knew that this would have been different. So, one of the interesting things is that yes, there are ways that we actually help you meet, you know, actual controls. And check the box and get to your compliance stuff. You know, become more secure. But there’s also things in CMMC that, you know they could have had all those boxes checked.
And you know Anchor CMMC Compliance Software actually prevents and provides security. There’s a difference between security and compliance. Kyle’s far more of a of an expert on that than I am. But what would have been in this case and CMMC doesn’t have a requirement for, is that you know if they would have had Anchor CMMC Certification Software in place, which they do now, so, they did become a customer; but if Anchor was in place back then before they had the event, then once the um there’s a few things that would have happened: one is that the data that was stolen – it would have been ciphertext.
Anchor Renders Your Data Ciphertext
And we can look at specific guidance from DFARS and ITAR both, that talk about – it’s called the encryption rule for ITAR. But DFARS talks about data that is end-to-end encrypted with FIPS validated encryption is not CUI, right. It’s ciphertext. It’s ciphertext, it’s not CUI. And so, those attackers in that case would have just stolen ciphertext. So, no information would have been at risk.
Stolen Anchored Data is a System Breach, not a Data Breach
They would have had a system breach but not a data breach. So, that would have been huge for them. Um you know there’s a lot of traffic we could talk about, like the things they would have had to do. But, so, that wouldn’t, so, that would have been great. So, talk about reputation damage, uh it would have been preserved. There would have been no Department of Justice interviews. So, I’m sure they would have viewed that as a big thing that’s incalculable.
Anchor Eases Incident Response Burden
But then also too, their ability to respond to it would have been near instantaneous because – once all once data is protected by Anchor, every access is logged. So, uh they would have been, easily been able to go and say: “this system was breached show me a log for the last 72 hours of every piece of CUI that was accessed via the system.” And they would have known the possibility of “X” amount of data files were in place.
I think we have roughly about a million files protected by Anchor CMMC Software now. So, out of a million files they would have said: “oh these five are potentially at risk. Now let’s go figure out if those five were actually exposed.” And generated the report in less than 30 seconds that they could have attached to their incident response and been done with the whole kind of, whole kind of thing. One person in a matter of seconds rather than an army of people for weeks to do the incident response. And costing them no doubt, easily, to estimate – thousands of dollars in that incident response. So, yeah simple.
What Anchor CMMC Software does[Kelly]: I’m going to transition, that’s a great segue, into – tell us a little bit more about what Anchor CMMC Certification Software does. I mean you sort of walked us through the steps of how you would have helped this particular company. But I think it makes sense to hear a little bit more about what Anchor CMMC Software does at this point.
Anchor CMMC Software Bakes Invisible Protection into your Data[Adam]: Sure. So, you know basically, you know traditional I.T. controls focus on uh locking down networks, devices, and people. All the things around data and the name of protecting data, they kind of fail in two major aspects: one is, once files are removed, shared, or stolen -just like in that example I gave. A second ago those data controls no longer no longer apply. But second – a lot of these things just get in the way and interrupt business workflow or stop the way business behaves.
You get this constant war on that. So, Anchor CMMC Certification Software actually bakes invisible protection into the data itself. That way, wherever the data is used, wherever it travels, it’s always protected. Like the example I gave, even if the Anchored data was stolen from the customer and put into, I don’t know where it went, to we’ll say Russia because they’re the Hot Topic right now, that all they would have been taken was ciphertext.
Anchor CMMC Software Does 3 Things:
And since Anchor CMMC Software- what we do is three things to protect the data:
FIPS Validated Encryption
First is we encrypt it transparently with FIPS validated encryption. So, whatever state it’s in, it’s always in that state. That’s what helps us check the mark for DFARS and ITAR. And what they describe as self-protecting CUI. So, we – every piece of uh CUI that is anchored is uh transparently FIPS validated – encrypted.
Multi-factor Access Control
We combine that with multi-factor access controls that are constantly checking. For example, Kelly, that you’re in the office using your office computer on Microsoft Excel and looking at the financial spreadsheets. The minute or the second you’re now in a Starbucks for an example, Anchor CMMC Certification Software closes that – those documents down because you’re not passing the authorization controls. And it’s always a fail-closed system because it’s zero trust. So, trust is never implied; continuously checking. You go back to the office you’re good again, right.
Anchor CMMC Certification Software Creates Granular Access Logs
And all that activity is logged. That’s really the third part that brings this. Every anchored CUI, since we’re talking about CUI in this case, has, it has a granular access log that says, you know, that Kelly accessed it when she was using Microsoft Excel. Here’s her geographic location, if you know, if that’s one of the things in there, and has a record for each and every single one of those; including a line that says uh we revoked Kelly’s access because she’s using Starbucks.
Okay it doesn’t say you’re in Starbucks but basically said we revoke your access because she’s not in the office, right. So, those three things together are continually being enforced. That means basically, now each piece of CUI is kind of what they call self-protecting using DFARS term. That’s what we do. And we do it without you having to set up a special Enclave, without you having to change your existing IT controls and workflow. And all this is invisible to the end user.
So, no funky right click menus, no change of extensions. You double click a spreadsheet today to open it Kelly, you double click the spreadsheet tomorrow to open it. Nothing changes in Anchor. So, that’s kind of our superpower if you will, is the transparency to the end users like antivirus.
What is Ciphertext?[Kelly]: Yeah, it sounds very user friendly. And also, if somebody were to steal that data and try to get it on their machine it would come in as gobbledygook, right? They wouldn’t be able to read it, do anything with it because that would be all gibberish? [Adam]: Yeah, it’s always ciphertext, right. The only time that is made available in plain text which is the way we like to use and work with data, is the individual would have to be on the right device in the right system, be enrolled in passing all these authorizations; you know transparent authorization things that are going on in the background. And only for that individual user during that time. It’s, you know, made to use so, it’s “open to spreadsheet.”
Otherwise, it’s always, always ciphertext. So, it’s, with Anchor CMMC Software it’s never a matter, since it’s zero trust for file access, it’s never a matter of: “how does Anchor know to lock it down?” Your CUI is always locked down. The question is then, how does Anchor know, you know, how to – how to make it available, you know, in plain text? And that’s what we’re talking about the all – with the multi-factor access controls.
Anchor CMMC Software Helps with CMMC Compliance Heavy Lifting[Kelly]: Yeah, all good stuff. So, um Kyle how can you see this is a great example of technology in cyber security today and CUI protection. How do you see new technology increasing as a trend to help SMBs deal with protecting sensitive file protection, what’s going on in the technology space today?
Anchor Helps Protect Against Insider Threats
Access Control[Kyle]: Access Control is one of the big requirements, um you know, about one-fifth. About one-fifth of the requirements are in Access Control. And then over the right Identity Authentication in place. That’s definitely one of the challenges: how do you put the proper Access Control on the files, so, only people with the proper authorization can access those files. So, you know, it’s become challenging. And how do you know if they have the files, that they are not copying anywhere right?
Protection against Insider Threats
Insider Threats. They copy to their own devices before they leave the company, right. They can copy it to their hard drive, and they’ll leave the company. These are some of the challenges Anchor CMMC Certification Software is solving for these kinds of scenarios. Especially Insider threats. Nowadays you hear on the news, right, all these -all these larger companies, right, they’re in the defense contractors as well. When they move to another company, they start downloading a lot of this information.
Obviously, you want to have some kind of a detection. Network detection – to say oh hey – there are some weird activities going on for this person. That may come AFTER the facts. When you find out the files might already have left your company, right. So, you want to have that layer of protection. And Anchor CMMC Certification Software has that type of protection in place. Yep, you define the place that you should store. There’s an authorized place to store that information. The files then, they should not be able to move to another place that’s not authorized. So, yeah those are one of the big advantages for Anchor. And really make sure that files stays where they’re supposed to be.
Anchor CMMC Certification Software Helps with Work-From-Home Scenarios[Kelly]: Right. And this is incredibly important as the workforce will continue to change over. People leave, they leave jobs. They’re also working remotely. So, all the more important to make sure. With the digital information that’s out there, that we’re doing everything we can to protect it. And Technology goes a long way in helping us do that, yep. Adam what kinds of NIST controls does a company like Anchor CMMC Certification Software handle?
NIST 800-171 and Anchor[Adam]: Sure. So, um, there’s over 27 NIST controls uh that Anchor CMMC Certification Software directly addresses for customers. We share with them our security architecture. Anchor gives them a shared responsibility Matrix. I think that’s going to be required of every company here in the future. But we’re very proactive on this. We realize we have a larger base of our customers in the CMMC, uh you know, “Zone.” They’re OSC: Organization Seeking Certification.
So, we produce that automatically for those 27 controls. Like, almost all of them. I don’t remember the exact number it might be like 25. But all but a couple of them, we fully address, right. And then only a few of them we partially address. So, this is a great win for people on that. We share that.
Three Ways Anchor CMMC Certification Software Helps Customers
While we’re talking on that subject, the big kind of main three things that we help customers with from a CMMC compliance perspective – we talked about stopping the data exfiltration. There’s not actually a CMMC requirement to, like, not allow your data to be exfiltrated. Sounds crazy, but you know that’s kind of bonus on the cake – or icing on the cake – but the three areas we help to see them in CMMC compliance is:
Anchor Reduces CMMC Compliance Complexity
First reduce complexity. So, you don’t have to, you know, we can protect CUI wherever it’s at on your existing file servers. If it’s on laptops and on servers, it doesn’t require you to have to try and get everything organized into one location first to do it. You still might want to do that, but it doesn’t require it to actually protect that CUI.
That CUI can be self-protecting wherever it lives because of the way we Implement our technology. We don’t have to buy them expensive storage to do it, or a particular type of storage. You can have like GCC High, you can also have file servers, you can also have devices even mobile devices, and Anchor CMMC Certification Software can make sure CUI is protected wherever it’s at, and support if you want to actually move it all together. So, that helps eliminate a lot of complexity.
Anchor Reduces CUI’s Scope
And then second thing is, it reduces scope significantly. Because once CUI is anchored only devices – only the intersection of a device, person, and the other authorization can access controls on that, is the only manner in which that CUI can be accessed. So, if I have like five, let’s just say, oh I have thousands of devices on my network, and I’ve anchored all my CUI. I only have five laptops and five phones. We’ll say that I have the Anchor, uh Anchor you know, agent or enrolled for Anchor CMMC Certification Software on it.
Then those are the only ten that are actually in scope for “X” for accessing that CUI either as a CUI asset or even a contactor, a contractor managed risk asset. That’s because nothing else could even incidentally be used to access those CUI files because it simply cannot without an Anchor agent on it. So, until that happens, it’s you know, it’s kind of out of scope in that perspective. So, it can really simplify um that, especially for organizations that have both a CMMC side of the business and a commercial side of the business as well.
Anchor CMMC Compliance Software Eases Incident Response Burdens
And then the third thing is again I think we talked about earlier is just the Incident Response: being able to just uh, in a few seconds that you do have a breach, as Kyle stated, is not a matter of “IF” but “WHEN”, you’re able to quickly go and generate a report. And even if things are compromised, you have a quick report saying okay these six things are in scope and not you know almost a million things could possibly be in scope. In that – so, that’s kind of how we the NIST controls and CMMC at large, how we help customers in that specific vein.[Kelly]: That’s a great overview, thank you. Um sounds very comprehensive – user friendly and comprehensive too. You’re covering all the bases there. [Adam]: We try.
How KLC’s CMMC Compliance Consulting Meshes with Anchor CMMC Software[Kelly]: Kyle, how would working with KLC and Anchor CMMC Software help me as a client? Say I’m a manufacturer or Aerospace or one of our clients, how would this partnership help me? [Kyle]: Right. So, KLC, we help our customers identify the CMMC compliance gaps, right. We identify what are some of the deficiencies. And we will recommend the proper Solutions and one of the things that we like about Anchor CMMC Certification Software is that when it comes to the file protection, digital Rights Management, I know it’s an older term, but these are some of the things I’ve been looking for since 2006 right when I was working for one of the big financial companies.
At that time, I was looking for solutions. The solutions were out there but they were bulky, they are not easy to implement. When it comes to uh sharing the data with other third parties it became impossible. And like what Adam was saying, it has to be intuitive; something that you can Implement fairly quickly.
Anchor Pioneered Modern CMMC Compliance Software
Back then there are no, not really a Cloud solution that was very easy. This now is something that I see that can very quickly improve the CMMC, NIST 800-171 compliance level, right. Access Control – it will have to have file encryption; you will need to have CUI encrypted. You need to have the file control, and need to have this, you know sensitive files Access Logging, right. CUI Access Logging and monitoring. So, all these are some things that are not easy to implement. And Anchor, they can say: yep, we actually have all these controls in place. So, that instantly gives a big boost in compliance for the smaller companies that really lack this type of Access Controls, Encryption, and Monitoring, right.
Anchor CMMC Certification Software is Easy to Implement
And it also has to be intuitive. And the tools are not really useful if they’re, if the company cannot really implement it quickly and it’s too hard to use, right. So, that’s what I like about Anchor. And it’s something that you can actually implement quickly. If the files are stolen, you don’t have to report to DoD and say: “hey the file is stolen” because the files are encrypted. And that becomes less of a burden, less of a worry if there’s a problem. If there’s a compromise, you know, we want to make sure that files are still protected.
The company, the network could be compromised. But we can be sure that, hey, we have demonstrated that the files, they stay encrypted. If they are stolen, they’re encrypted, right. So, that is something that is very, very big deal when you have to go through a data breach. You know, a security incident investigation, forensics with the DoD – that is a big deal, right. It’s going to take your time and energy.
Synergy between KLC Consulting and Anchor[Kelly]: Right, yeah, yeah; to be avoided at all costs, exactly right, right. So, as you pointed out Kyle our goal together at KLC and Anchor is that we try to get our clients the most up-to-date Information Technology Solutions and services in an expedited time frame. We want to be able to get them those Services very quickly. Those Solutions show very quickly that are user friendly so, there isn’t a big ramp up to learning how to do this or how to implement it.
And then people would be more, uh, readily to adopt that into their systems. They also need it to be at a competitive price, you know um, I think some people think that this is going to cost, you know, exponential dollars, hundreds of thousands of dollars, in order to put the most basic programs into place. And we’re going to hear a little bit about, um you know, an example of costs around this. But you know the important thing is that we work together to help people with their gaps. And then provide the tools that they need in a, in a user-friendly way. So, that they can keep their CUI protected.
Anchor CMMC Certification Software and Aerospace, Manufacturing, Engineering and Machine Shops
Um so, Adam, we talked a little bit about clients and I’m just wondering I’d like to hear from you about Aerospace and Manufacturing, engineering, machine shop companies, these are all examples of companies that we work with all the time. And they face obstacles in protecting their CUI. So, you touched on this earlier, but I want to hear a little bit more about how Anchor CMMC Certification Software helps with these kinds of clients in particular.[Adam]: Sure. I mean I’d say you know we touched on like say we touched on some of that earlier. But I’d say you know, half of my, over half of my um customer base is from these sectors. And the reason like, there’s kind of like this Affinity; almost like this, this magnet or moth-to-the-light-flame type thing going on here, is because – not because like we do you know anything special or unique for manufacturing or Aerospace. But because the way our technology is, we’re agnostic to any file type in any application.
So, you can look at, you might even – listeners here might have been like: “well how’s that different from X and Y?” Like the biggest, you know solutions that they’re comparing in their head, the biggest thing is that we’re not unique to any particular type of product.
Anchor CMMC Compliance Software is Industry Agnostic
So, you can look at some products that are great at just protecting PDFs, or just great at protecting office documents but not great at protecting things that exist in – I call Legacy style businesses, like that have unique bespoke line of business applications. So: AutoCAD designs, custom MRP applications, ERP applications – those types of things.
Anchor CMMC Certification Software is kind of agnostic to the application of what’s going on, we protect all these things the same way. So, being able to give you the same type of technology and like, it’s called a digital Rights Management though it is a dated kind of term. But being able to kind of extend all those same types of protections that you’ve been able to do for like, say Office for a decade, is now even, you know an enhanced version of that is now even available for just your CAD designs, your intellectual property.
Anchor works well with Legacy Software and Systems
Right, the things your back ends of your MRP systems, etc. Where all this sensitive data is stored. So, that’s a huge benefit for them because not only do we actually bring protection to the things that were just underserved right, in their industry. But it’s also, it’s the same protection scheme that they can use to protect everything. So, it doesn’t mean they have to have a separate tool to protect CAD, and a separate tool to protect MRP, and a separate tool to then, to also protect their Office documents, right, for an example.
So, this is huge for people looking trying to reduce complexity not just for the end user but for the IT staff; which you know all, or a good portion of my customers in the smaller end don’t have an I.T staff. Their I.T staff is their nephew, right. So, like you know so, that Simplicity is super key in that. So, they want to just anodize tank bolts using that example from earlier, all they want to do is continue to anodize tank bolts. Not have to all of a sudden become you know, uh Information Technology experts right. So, that’s how we kind of help in those sectors.
How much Does Anchor CMMC Certification Software Cost?[Kelly]: Yeah, that’s great. Thank you for clarifying that, sure. So, this all-sounds kind of expensive how much does this cost? [Adam]: Yeah, well like for our listeners, if they act now, we have operators standing by for a special discounted price. Right um, but seriously though, there’s one of the things that you know: simple, transparent, and affordable – those are like our three key values here at Anchor. Very straightforward, our list price for end users is just 192 dollars per person a year, with a minimum you know, a minimum of 10 users.
So, to continue the example like we have the mom-and-pop shop up again, I’m using this as an example: there are like five or six people that are using Anchor CMMC Certification Software protecting their CUI assets for less than two thousand dollars a year, right. So, like and I have customers that have customers in the Enterprise that are like thousands. And you know, anywhere up from that. But we’re affordable.
Anchor CMMC Software Scales from SMB to Large Enterprise
We’re as accessible to the mom-and-pop company as we are to large Enterprises right. So, less than two thousand dollars a year. They’re doing that at our, at our list price. And our solution is, it’s pretty, again: simple, transparent, and affordable – from the time they get in there and we start with them, they’re fully on board, trained, and like “Off-to-the-Races” and like back to business. Like not seeing anything you know, in the way – in less than 60 minutes.
So, we’re talking about a mom-and-pop coming, they know nothing about IT, you know, their nephew runs IT, like making sure their stuff’s up and running; they’re just you know, 60 Minutes of their time and they’re back to anodizing tank bolts. Their book of business continues and they’re not thinking about this anymore right, from that perspective. So, like that’s the big key thing uh for us, is that transparency and that Simplicity is what really separates us uh apart.
Anchor CMMC Certification Software – Helps with CMMC’s Heavy Lift Requirements[Kelly]: Right, well that’s, you presented really good information, really good to know. And um, and super helpful because to your point you know, some of the larger companies have a built-in technology department and they deal with these kinds of things all the time. Where if you get a SMB or a mom-and-pop shop who are doing it on their own, to have something that’s very user friendly like this and is very effective and affordable is really the kinds of things that we at KLC like to share uh with folks out there. And with our clients too, as we try to get better; better at what we do and combat the threats that are out there. So, we’re happy to share that.
Thank you, Adam Bowen from Anchor
So, I wanted to thank both Kyle and Adam for joining today I thought there was a lot of great information shared. And some really good examples of what’s going on out there. And what people can do. It seems to me too, as we’ve had this conversation, that we can’t underscore the importance of being proactive, right. I mean we hear about all these data breaches every day. And we hear about the:” oh I should have done this, or I needed to do a little bit more and I didn’t get around to it. Or I was paralyzed with fear about it so, I did nothing” but just taking the small steps to be proactive, this is my public service announcement, there seemed to be this Common Thread about being proactive.
So, that is that folks; don’t have to be reactive and take all that time and cost and energy that it takes to basically have their business shut down while they deal with a data breach. And there are some really simple steps and consulting solutions to bridge those gaps that we’re here to offer. So, thank you both, for sharing your expertise with us today, it was great. And if you have any questions out there for Kyle or Adam, please feel free to reach out to us and we’ll have the information on the screen. And I’d like to thank you all for joining us today, thank you.[Kyle]: Great, thank you. [Adam]: Thank you.
Check out our Commercial Off The Shelf COTS Consulting Page for the help obtaining a COTS exemption
Are you in a fog about NIST 800-171 and CMMC Compliance?
Are you ready for your CMMC Assessment by a C3PAO?
Be sure! Gain confidence with our mock C3PAO assessment.