Among the myriad concerns you are trying to tackle, ensure your VPN is using FIPS 140-2 validated encryption or the whole idea is dead in the water. NordVPN may be not be an option (to be fair, just did a quick look, and didn't see anything, nor any validated module--OS-embedded).
That makes sense and I'll look into it. I recently stumbled upon Virtru that seems to be compliant with CMMC and other compliance solutions like ITAR and it is FedRAMP moderate already.
But now it comes back to with a great solution like this, is it now okay to send CUI via email through a solution like this? I feel like I may be at the information overload stage at the moment.
You have to be careful because without more specific information I can only guestimate.
But say if you had a system like BigTime for timesheets, that isn't hosted on-prem or in a private cloud, but it shouldn't contain CUI. That is fine not being certified in my opinion.
However, CMMC is new so they could take a different viewpoint on this. My experience is primarily with FedRAMP and I haven't seen this be an issue in multiple engagements.
You can also have something like AWS Managed Active Directory that would technically not contain CUI, but you're using for authentication and identity management, GPO and such as well. Something like that would need to be certified (FedRAMP Moderate) and in this example case it is.
Even something like Office 365 commercial can be considered non-CUI if you put in the proper rules, procedures, and such around it to ensure that CUI never enters into it.