The U.S. Department of Defense (DoD) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 17, 2021 which previewed significant changes to its Cybersecurity Model Certification (CMMC). The changes will take effect in 9 to 24 months from November.

CMMC 2.0 represents DoD’s response after an internal review prompted by over 850 public comments to the September 2020 “CMMC 1.0” interim rule. While changes are in progress, the DoD will not include CMMC requirements in its solicitations. Contractors are advised to continue to follow the current cybersecurity “assessments framework,” which focuses on compliance with National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 controls and the Basic Assessments required.

The revised program structure and requirements were created to meet the goals of the internal review.

• Encourage accountability while minimizing barriers to DoD compliance
• Protect sensitive information to protect and enable warfighters
• Establish high professional and ethical standards to maintain public trust
• Contribute to a collaborative culture of cybersecurity and cyber resilience
• Enhance DIB cybersecurity to meet changing threats

What is the CMMC program?

The Cybersecurity Maturity Model Certification (CMMC) program protects sensitive, unclassified information shared by the Department with contractors and subcontractors by enhancing the cyber protection standards of companies. It integrates requirements into acquisition plans and gives the DoD greater confidence that subcontractors and contractors are in compliance. The three key features of the framework are:

• Tiered Model: Companies with access to national security information must practice cybersecurity standards at progressively higher levels depending on the nature and sensitivity of the data. There is also a proper process for how information should flow down to subcontractors.
• Assessment Requirement: CMMC assessments enable the Department to verify compliance with cybersecurity standards.
• Implementation via Contracts: Certain DoD contractors who handle sensitive, unclassified DoD data will need to attain a specific CMMC level in order to be eligible for contract awards after full implementation of the program.

Overview of CMMC 2.0

CMMC 2.0 will replace CMMC 1.0’s five-level model with three levels of progressively increasing cybersecurity requirements. Each level is keyed to independent standards (e.g. Federal Acquisition Regulation (FAR), NIST requirements). The new model also increases third party assessor oversight and eliminates CMMC-unique practices and “maturity” requirements.

Improvements to the CMMC model include:

More Speed and Flexibility – Allows waivers of CMMC requirements and lets companies create Plans of Action & Milestones to obtain certification under certain circumstances.

Less Expensive – Allows all Level 1 (Foundational) and a subset at Level 2 (Advanced), to show compliance through self-assessments.

Streamlined Requirements – CMMC 2.0 focuses on the most critical requirements, reducing the model from 5 to 3 compliance levels.

Use of Widely Accepted Standards – The model now uses National Institute of Standards and Technology’s (NIST) cybersecurity standards and removes CMMC-unique practices.

More Accountability –  Increases oversight of professional and ethical standards of third-party assessors.

New CMMC 2.0 Controls and Requirements

These are the new requirements for tiered entry in the three-level model:

CMMC 2.0 Level 1 – “Foundational“

Level 1 must match the same 15 controls as FAR52.204-21 “basic” controls to protect Federal Contract Information. There are annual certifications and self-assessments by company leadership. This is essentially the same as the previous model.

CMMC 2.0 Level 2 – “Advanced”

CMMC 2.0 Level 2 is based upon the old CMMC 1.0 Level 3. However, the new Level 2 CMMC control lowers the number of required controls to 110 controls in the SP 800-171 Revision. 2 (NIST SP 800171). This eliminates 20 additional CMMC 1.0 Level 3 controls.

There will be a division between “prioritized” and “nonprioritized” acquisitions based on the sensitivity of information involved. An example of a prioritized acquisition might be one that includes Controlled Unclassified Information (CUI) related to weapons systems. A nonprioritized acquisition might include CUI regarding military uniforms. Details about prioritization will be released in future rulemakings.

Prioritized acquisitions will need an independent third party assessment (C3PAO) every three years. Nonprioritized acquisitions only require an annual self-assessment and certification.

CMMC 2.0 Level 3 – “Expert”

Level 3 of CMMC 2.0 will replace Levels 4 and 5 in CMMC 1.0.

Most importantly, acquisitions at the new Level 3 “Expert” level will require triennial government-led assessments. In addition to the 110 controls that are required for the new Level 2 certification, Level 3 certification will require compliance with NIST’s SP 800-172.

How to Prepare for CMMC 2.0

Cyberattacks on the Defense Industrial Base (DIB), are becoming more frequent and more complex. Therefore, cybersecurity is a priority for the Department of Defense. The DoD created the CMMC program in order to protect American ingenuity as well as national security information. Its purpose is to improve DIB cybersecurity to better meet evolving threats and safeguard the information that supports and enables warfighters.

The DoD encourages contractors to improve their cybersecurity posture during this transition. To assist DIB companies in assessing their cybersecurity readiness and implementing sound cybersecurity practices, the Department created Project Spectrum.

As rulemaking is underway, the Department plans to suspend current CMMC efforts and will not approve CMMC requirements being included in DoD solicitations.

Once the rules become effective, companies will have to comply, and the rules will be open for public comment. The DoD says it will seek out opportunities to engage stakeholders as it moves towards full implementation as participation by stakeholders is crucial to achieving the goals of the CMMC program. 

In 2008, we started working on a peer-to-peer cloud-alternative platform called Tonido, which eventually powered our tiny TonidoPlug computer, various white-labeled OEM HW solutions and was adopted by use by hundreds of thousands of users across the world. While adoption was great, it was difficult to grow the business in this particular market and things were looking dim.  However, one thing we got right from the early days was listening actively to our customers and they were telling us one thing loud and clear. They loved Tonido but wanted the power and flexibility of the platform for their business and we listened. We released the first version FileCloud in 2012 and the rest is history.

Now 7 years in, with thousands of happy enterprise customers, it is improbable and almost impossible to imagine our growth given we were bootstrapped all along growing fully only on sales revenue generated. What started as a secure and personal cloud solution for business has now grown to a robust, scalable, secure, and compliant platform that powers large manufacturing, finance, and insurance businesses as well as military and government organizational content management solutions across the world.

While we could continue to build FileCloud organically using the same product-led growth, we realized that the breadth of customer problems that our product solves needs widespread market awareness and we need to bring the benefits of FileCloud’s solution to more customers quickly. If we could with almost zero marketing spend and no outbound reach win very large customers, there is a huge untapped market for a hyper-secure and compliant content management solution that is FileCloud.

That is why I am happy to announce that FileCloud has raised a $30 million Series A led by Savant Growth Fund I LP with participation from Kennet Partners and an additional $10 million growth capital facility with Avidbank.

I would also like to welcome Ray Downes as our new CEO and Peter Melerud as our new Chief Revenue Officer. Ray is not only an accomplished leader (previously CEO at Kemp and exited recently), but he also fully shares my core beliefs in providing value to customers, taking care of people, building a scalable business, and doing it all with integrity. I am happy to have him lead us to the next level.

I will step down as CEO and transition to my new role as President & CTO being responsible for technology and product strategy and execution. I will continue to serve on the board. The existing management team will continue in their current roles.

All of this wouldn’t have been possible without the hard work from the incredible people at FileCloud including the original founding team and some of my closest friends (who were crazy enough to believe in the vision), to some of the smartest, warmest, and incredibly talented people we have hired as we grew. I am extremely proud and thankful to have you all alongside this part of our sometimes arduous and oftentimes challenging journey as a bootstrapped company and the complete trust you had in me to lead you all.

To all of our customers who trusted us with your business, thank you! We have always been about serving customers and providing a best-in-breed product and best-in-class support, solutions, and service. This investment allows us to redouble our efforts to do much more and we will continue to make your satisfaction our biggest priority. I know that every company claims to be customer-centric, but our company’s DNA is based on deeply understanding customer pain and solving it elegantly.

While the bootstrapped part of our journey is over, the next part begins, and I cannot be more excited at the future growth and opportunities that lie ahead for all of us. While I am proud of the work that has been done and the problems we have solved, I firmly believe that we have only got started and there is plenty more to do.

Let’s continue to make that ‘dent’ in the universe.

Cheers!

Madhan Kanagavel
Founder

• Kennet Partners also participated in the round, along with a $10 million growth capital facility with Avidbank
• Ray Downes joins as CEO, Peter Melerud as Chief Revenue Officer—both from Kemp Technologies
• Funding will accelerate innovation and global market expansion

FileCloud, a leading, hyper-secure content collaboration platform used by enterprise organizations around the world, today announced that it has raised a $30 million Series A led by Savant Growth Fund I LP with participation from Kennet Partners. In addition, the company raised a $10 million growth capital facility with Avidbank. The investment will support the company’s continued innovation and rapid market expansion, both domestically and throughout international markets.

FileCloud also announced the addition of two notable industry veterans to lead its expansion efforts. Ray Downes joins the company as Chief Executive Officer after a decade leading Kemp Technologies, a former portfolio company managed by Savant Growth’s investment team. Joining him will be Kemp co-founder Peter Melerud as Chief Revenue Officer, spearheading FileCloud’s go-to-market initiatives. Under their leadership, Kemp transformed from an SMB-focused load balancer vendor to a market-leading application experience company that was acquired in November for $258 million by Progress Software (NASDAQ: PRGS).

In addition, Eric Filipek, managing partner and co-founder of Savant Growth, will join FileCloud’s board of directors.

“Savant Growth’s investment in FileCloud is a testament to its many years of impressive organic growth,” Filipek said. “The company represents an excellent opportunity to partner with an impressive founding team and seasoned leadership with whom I have worked to realize substantial stakeholder returns.”

“This Series A funding comes at a time of rapid growth for FileCloud and will help us capitalize on the increasing market opportunities to meet escalating customer demand,” said Madhan Kanagavel, founder, president and CTO. “I am incredibly proud of our success bootstrapping the business to where it is today, and I can’t wait to begin this next phase of our journey. We are excited to partner with the new investors and welcome the arrival of Ray and Peter as they join our leadership team.”

“Our market research showed the content collaboration and secure file sharing space is evolving at an accelerating pace and has been in need of an innovative entrant like FileCloud to address the specific demands by enterprises around security, compliance and workflow automation,” Filipek said. “From the very first engagement with Madhan Kanagavel and his founding partners, we saw firsthand their passion and focus on solving complex customer challenges that resulted in FileCloud maturing into a unique, highly capable CCP platform.”

For more information about FileCloud and Savant Growth, please visit www.filecloud.com and www.savantgrowth.com.

About FileCloud

FileCloud is a hyper-secure content collaboration platform (CCP) that provides industry-leading compliance, data governance, data leak protection, data retention, and digital rights management capabilities. Workflow automation and granular control of content sharing across most enterprise platforms are fully integrated into the complete CCP stack. The platform offers powerful file sharing, sync, and mobile access capabilities on public, private, and hybrid clouds. FileCloud is headquartered in Austin, Texas. FileCloud is used by millions of users around the world, including top Global 1000 enterprises, educational institutions, government organizations, and managed service providers. For more information, visit www.filecloud.com.

About Savant Growth

Savant Growth is a data-first growth equity firm that invests in bootstrapped, founder-led, high-growth B2B SaaS and tech-enabled services businesses. The firm combines 30 years of investment experience with a data-driven, entrepreneurial approach to bring together talent, companies, and capital for transformational outcomes in large, high-growth markets. The firm uses SaleSavant, its proprietary natural-language processing and machine learning software to help identify companies and teams that match its success predictors for its portfolio. Savant Growth generally targets companies with annual recurring revenue of $5 million to $15 million and typically invests in both minority and majority positions of $10 million to $50 million as the first institutional investor. Savant Growth believes it provides unique operating leverage to portfolio companies with its proprietary software and services for prospect identification (SaleSavant) and engineering resources to augment development initiatives (DevSavant). For more information, please visit www.savantgrowth.com.

At FileCloud, we’re always working to make sure our system fulfills the security requirements of companies and organizations, specifically compliance with government regulations. To accomplish this, FileCloud offers top-notch security features such as virus and ransomware protection, advanced digital rights management and folder permissions, and DLP and two-factor authentication. Additionally, FileCloud’s compliance dashboard helps compliance officers and administrators remain in line with ITAR regulations and will soon also provide support for GDPR and HIPPA requirements.

Now, it is even easier for government agencies, specifically the US DoD (Department of Defense), to run FileCloud in accordance with their guidelines because it can now run on RHEL 8 with DISA STIG Profile.

What is DISA?

DISA, (or The Defense Information System Agency) is a combat support agency that supports the DoD specifically with IT and communications (essentially how information is distributed, managed, and organized).

Every organization has different internal regulations and requirements, and governmental agencies often have more than usual, specifically for the security of the US and its government. That’s where STIGs come in.

What are STIGs?

STIGs (or Security Technical Implementation Guides) are guides that DISA releases specifically based on use of an application within DoD agencies. These guides essentially tell anyone working for the DoD how they must handle the software and systems they use.

DISA puts out and maintains hundreds of STIGs to ensure DoD information is being kept and shared securely.

These regulations might seem like a lot of work, but these STIGs allow developers and administrators to properly maintain software and hardware, update protocols, and even identify security weaknesses or issues in code.

There are three different DISA STIG categories organized from the severity of risk (that could result in intense consequences if not taken, including loss of life, mission failure, and not being able to operate) to less severe risks (like increased vulnerabilities, delays, and inaccurate information).

Essentially, if FileCloud needs to be run within the DoD (based on how the DoD agency wants to use FileCloud) DISA gives the agency a list of STIGS to comply with in order to run FileCloud while still following regulations. This includes being able to run FileCloud within RHEL 8 as long as the STIGs are followed.

What is RHEL 8?

RHEL 8 is developed by Red Hat, and, according to Red Hat, “gives organizations a consistent OS across public, private, and hybrid cloud environments. It provides version choice, long life-cycle commitments, a robust ecosystem of certified hardware, software, and cloud partners, and now comes with built-in management and predictive analytics.”

This, in essence, turns on controls at the OS level. With specific controls on, the OS limits application installing, running, and even forces certain behaviors on the application.

DISA recently worked with Red Hat to develop and release a STIG for RHEL 8 that is approved to run within the DoD as long as the STIG is properly followed.

How Does this Apply to FileCloud?

As always, we want FileCloud to be useful and compliant within all companies and organizations, and specifically within the DoD. Prior to enabling FileCloud to run on RHEL 8 with DISA STIG controls, we had already worked on similar capabilities, such as running FileCloud on Centos with FIP-140 control enabled at the OS level, so we knew it was possible.

Why We Did It?

At FileCloud we encourage all our employees to speak up, from marketing to sales, and one of our amazing sales team members saw the need for FileCloud to run on RHEL 8 with a DISA STIG profile.

The problem was brought forward, and our sales team worked with our development team in order to find a solution. Ultimately, we were able to make it so that FileCloud can be installed on RHEL 8 with DISA STIG controls on.

What this Means for The US Department of Defense and FileCloud

As we said at the beginning of this blog, we’re always working to make it easy for users to use FileCloud. Sometimes this means adding new features like Workflow Automations and an ITAR Compliance Center, other times it means working within DISA STIGs in order to make it easier for DoD agencies to use FileCloud even within their regulations.

Now that FileCloud runs on RHEL 8 with DISA STIG controls, it’s easier than ever for the DoD to use FileCloud’s secure storage and file sharing system, along with its other impressive benefits and features like advanced DLP, integrations with systems like Microsoft Office, Teams, and Only Office, and Metadata management and personalized branding.

Workflow Automation 

Workflow automation refers to the creation, deployment, and management of business processes using pre-defined rules. People can use workflow automation to standardize work, and it allows for business rules and compliance to be met. It also eliminates human error and ensures transparency and accountability at all stages of the process.

Even though we are on the verge of realizing that people can automate their daily processes, most current workflow tools are too rigid and complex, tied to IT, or both. Existing workflow tools have these unappealing characteristics because they are not designed for business users. Implementing workflows using many existing tools is also a failure because they restrict workflows to the environment rather than their extended enterprise.

This is where Box Relay and FileCloud Workflows come in. Both are workflow automation tools built with the business user in mind. We will first look at Box Relay, though the two products are similar in what they offer.

Introduction to Box Relay

Box provides Cloud Content Management (CCM), and Box Relay is a core product in the Box platform that automates content-centric workflows.

Box Relay lets users create workflows and keep multiple business processes under control in an easy-to-use manner with its simple interface and no-coder approach. Businesses can automate repetitive tasks and streamline business processes like contract approvals, content review, and onboarding. A conditional logic feature, in particular, allows users to route content by using multiple metadata fields. The software also facilitates real-time collaboration among business partners, vendors, clients, and other business entities, allowing the flow of relevant business content. 

Relay allows the business user to automate redundant procedures, reduce work, and lets IT focus on other value-added tasks. It achieves this by automating content-centric business processes right where the content is. Box Relay’s content-centric workflows make it easy for business users to automate tasks that would otherwise take too much time and effort. Box Relay’s “if that, then those” statements are a simple, no-code way to build a codebase. The statements include many fillers to create triggers, conditions, or outcomes that all together form the desired automated process. Box even offers pre-built workflow templates, which cover multiple use cases – Marketing, Sales, HR, and Finance and Operations.

Box Relay is not an IT-dependent service, but it helps IT empower business users with the right technology to increase efficiency and drive business processes. IT is not able to understand the use cases of business users better than themselves. Relay’s design allows business users to collaborate with IT in creating automated processes.

Box Relay Features

Now that you have a basic understanding of how the software works, we will look at Relay’s specific features.

No-code Workflows: Users can build business workflows without extensive coding knowledge.

Pre-made Workflow Templates: A collection of pre-built templates helps quickly create common workflows for finance, human resources, legal, legal, marketing, and sales. Users can customize them, and the library covers at least 24 different business uses. 

Workflow Ownership Transfer: This allows the transfer of workflows between users. Workflow transfer is helpful to adapt quickly and efficiently to organizational changes such as job/role shifts. Users could also use the feature to transition workflows from IT to business users.

Workflow Trigger API: This API lets third-party apps trigger workflows. This feature is handy for business processes that involve a lot of client interaction, making it easier to automate client interactions even if they don’t involve the Box platform.

Summary Dashboard with Export: Users can track progress with one dashboard to view all workflow history. Box Relay also provides an exportable audit history that shows the status of each workflow. Administrators can monitor access rights for workflow generation and the oversight of business processes.

FileCloud Workflows Introduction and Comparison 

FileCloud is an award-winning enterprise file sharing, sync, and backup solution (EFFS). FileCloud Server is a self-hosted solution that provides complete data ownership, residency, and control. It allows enterprises to create and manage a Dropbox or Box-like file storage and sync system integrated with their IT infrastructure. With Filecloud Online, FileCloud hosts data on the company’s world-class infrastructure in the customer’s region. 

FileCloud Workflows is FileCloud’s workflow automation tool. Like Box Relay, FileCloud Workflows makes it easy to create workflows, manage multiple business processes, and monitor progress with an intuitive interface. It also allows real-time collaboration between business partners and vendors, clients, and other business entities and facilitates the flow of relevant business content. 

Other similarities include simple “if this, then those” statements that allow you to build a codebase without any programming and content-centric workflows that make it simple for business users to automate tasks that would otherwise require too much time or effort. 

Despite many core similarities, there are a few differences to consider. Just as Box Relay is integrated with the Box platform, FileCloud Workflows is tightly integrated with FileCloud. Box and FileCloud each provide different features that are well-suited to various enterprises depending on their business needs. 

Unlike Box, FileCloud has a self-hosted option (FileCloud Server) attractive to enterprises in heavily regulated industries and government organizations. FileCloud uses industry-standard encryption methods (AES 256 bit) to securely transfer data (SSL/TLS secure channel) and store it. It supports ransomware detection, ransomware prevention, anti-virus scanning, data loss prevention, and easy-to-configure security policies.

There is also a difference in pricing and value. FileCloud Server Standard edition costs $5,000/year for 100 users, while Box Business edition costs $15,000/year for 100 people. Included within that price, FileCloud offers unlimited client accounts for free. To see a detailed comparison of the two platforms, click here. 

Two downsides of FileCloud Workflows compared to Box Relay are that it lacks pre-made workflow templates and a workflow trigger API. An upside is that FileCloud Workflows’ drag-and-drop canvas makes it much easier to visualize and build workflows than the vertically stacked boxes in Box Relay’s user interface. 

FileCloud Workflows Features

Let’s take a more detailed look at FileCloud Workflows’ features.

No-code Workflows: As with Relay, users can build business workflows without extensive coding knowledge.

Drag-and-drop Interface: The visual canvas and drag-and-drop tool make it easy to see and create any business workflow. 

Workflow Ownership Transfer: This allows users to transfer workflows. Businesses can use workflow transfer to adapt quickly to organizational changes like job/role moves. IT and business managers can also use this feature to make and share workflows with departments and teams.

Summary Dashboard with Export: FileCloud Workflows also provides a summary dashboard with real-time reports and the ability to export an audit history. The dashboard provides a convenient way for users to see the progress of their work, and admins can monitor access rights for workflow generation and the oversight of business processes.

Self-hosted Data: For organizations that require complete control of their data, FileCloud has a self-hosted version. With FileCloud Workflows, organizations hosting their data on-premises can still enjoy the benefits of workflow automation. 

Comparison Conclusion

As you can see, there are many similarities and a few critical differences between FileCloud Workflows and Box Relay. Both tools provide business users with the ability to introduce workflow automation into their everyday processes. Which one you choose will depend on the requirements of your organization.