CMMC Level 2: Is the WatchGuard Compliance Package worth it if we use PreVeil + M365 Business Premium?
We are mid-journey on our CMMC Level 2 compliance and looking for some feedback on our tooling strategy.
Our Current Stack / Scope:
- CUI/FCI Enclave: PreVeil (storing/sharing all CUI and FCI).
- Identity & Endpoint: M365 Business Premium (utilizing Intune and Defender for Business).
- Network & Perimeter: WatchGuard T45 firewall with Total Security Suite, AuthPoint for MFA, and Advanced EPDR on the endpoints.
The Dilemma: We are looking at the WatchGuard Compliance Package (which includes automated NIST 800-171 control reports).
Is it actually worth paying extra for these automated compliance reports? Or should we just save the money and capitalize entirely on our Microsoft 365 Business Premium (Intune/Defender) capabilities and manually gather the firewall logs/evidence?
My gut tells me that since PreVeil is handling the CUI itself, the WatchGuard environment is essentially acting as a security domain that protects the endpoints accessing the enclave. Do automated reports from WatchGuard actually move the needle during a C3PAO assessment, or are they just expensive shelfware that duplicates what we can pull manually or through Microsoft?
Would love to hear from anyone who has gone through an assessment with a similar hybrid WatchGuard/Microsoft/PreVeil stack. Thanks!