With the Cybersecurity Maturity Model Certification (CMMC) program taking effect on December 16, 2024, per the 32 CFR rule, the Defense Industrial Base (DIB) has entered a new phase of cybersecurity compliance. This final rule codifies CMMC as a requirement to ensure contractors have implemented necessary security measures for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), with most requiring an assessment by an Authorized CMMC Third-Party Assessment Organization (C3PAO). The rule formalizes the CMMC program requirements for defense contractors.
For organizations already leveraging Microsoft Azure cloud services, this milestone offers an opportunity to strengthen security and compliance while optimizing cloud infrastructure and services to meet their NIST 800-171, DFARS, and FAR demands that a CMMC certification validates.
Organizations that subscribe to Microsoft GCC-High services gain a head start with one of the best cloud platforms for DoD vendors. However, just using these services alone does not guarantee CMMC success. Contractors must ensure they configure, manage, and provide monitoring and incident response around the clock.
Why 32 CFR Matters for DoD Contractors
The CMMC program isn't just about the validation of DFARS 7012 requirements that have been enforceable since 2017; it's about ensuring the nation's defense data is protected from threats. CMMC introduces mandatory certification levels, each designed to address the various information sensitivity levels shared with the DoD contractor ecosystem. Compliance is no longer assumed—it's now a requirement to prove the needed security maturity to be eligible to continue with DoD contracts and accept contract awards.
Key Features of 32 CFR Final Rule:
- Three-Level Certification System: Contractors will be certified at Levels 1, 2, or 3 based on the sensitivity of the information they handle.
- Level 1: Self-attestation covering 17 basic controls for organizations that only handle FCI.
- Level 2: Requires 110 controls based on NIST SP 800-171 for those handling CUI, with certification via self-attestation or third-party assessments.
- Level 3: Designed for contractors handling highly sensitive CUI, with additional measures against Advanced Persistent Threats (APTs).
- Certification for External Service Providers (ESPs): ESPs can participate in client assessments rather than requiring their own certification first, reducing delays.
- DIBCAC-High Assessments: These assessments, conducted under the Joint Surveillance Voluntary Assessment Program (JSVAP), provide more flexibility in a Plan of Action and Milestone (POA&M) if any deficiencies are found. Eligible contractors may convert automatically to CMMC Level 2 Certification if a 110 score is achieved prior to the effective date of the rule, December 16, 2024.
- Appeals Process: Contractors can appeal assessment findings, with appeals first reviewed by the C3PAO and further adjudication handled by the Cyber AB if needed.
- Record Retention: Contractors must retain certification artifacts and evidence for six years (previously three).
- Mergers and Acquisitions: Significant organizational changes, such as mergers, require new certifications.
Cloud Solutions Accelerating CMMC Compliance
Microsoft Government Cloud Community services and offerings are tailored to meet the stringent requirements of government and DoD contractors, making them an ideal solution for accelerating compliance. With features like FedRAMP compliance and enhanced security controls, these services provide flexibility, security, and have been optimized for CMMC certification across all levels.
- Azure Government: Offers the security and compliance tools needed for Level 2 and 3 certifications, including meeting NIST SP 800-171 and FedRAMP High standards.
- Microsoft 365 Compliance Center: Provides tools to assess, monitor, and report on compliance status, enabling easy tracking of CMMC-related controls.
- Azure Sentinel and Defender: Deliver advanced threat protection and continuous monitoring, helping contractors mitigate risks associated with APTs (required for Level 3 certification).
Comparing 32 CFR and 48 CFR: What's the Difference?
One common point of confusion is the distinction between 32 CFR and the forthcoming 48 CFR rule. While 32 CFR defines the cybersecurity requirements contractors must meet, 48 CFR outlines how these requirements will be enforced through contracts.
32 CFR |
48 CFR |
Formalizes the CMMC program |
Defines how CMMC is enforced in contracts |
Establishes the three-level certification system |
Outlines contract clauses and compliance monitoring |
Effective December 16, 2024 |
Expected finalization in 2025 |
For contractors already working with Microsoft's cloud services, achieving compliance with 32 CFR is the first step. As 48 CFR is finalized, contractors must ensure their security and compliance measures align with DoD contract clauses and the appropriate CMMC requirements.
What DoD Contractors Should Do Now
Now that CMMC is a reality, the time to act is now. Contractors who delay assessment and/or certification risk falling behind as waitlists for assessments grow, which could lead to missed contract opportunities in the future.
Steps to Take:
- Evaluate the types of sensitive data associated with your DoD awarded contracts (and desired future ones): Microsoft Government Cloud (Low) and Microsoft Government Cloud High (GCC High) are different for a reason. Consult with a C3PAO or RPO to ensure you select the best cloud for your goals.
- Assess Your Cloud Security Program: If you already use Microsoft Government Cloud services, evaluate your current security program. Map against the CMMC requirements in the cloud configuration and architecture and how your organization will perform the ongoing activities needed to meet the compliance standard.
- Conduct a Gap Analysis: Identify areas where your organization's cybersecurity program falls short of the required CMMC level and take steps to close those gaps.
- Plan for Certification: Depending on your certification level, either self-attest (for Level 1 and some Level 2) or schedule a third-party assessment with a C3PAO for Level 2. For those requiring Level 3, you must first complete Level 2 with a C3PAO then get on the schedule with the Defense Contract Management Agency (DCMA) Defense Industrial Base Certification Assessment Center (DIBCAC) for a Level 3 assessment.
Lifecycle Compliance Management Plan: Ensure you have clear documentation of your compliance efforts and a plan for providing the artifacts and reports needed to support active compliance management. DoD prime contractors can ask for certification and verification of ongoing maintenance from their subcontractors at any time.
Looking Forward
As the CMMC program rolls out, contractors who proactively achieve certification stand to gain a competitive advantage, particularly in the crowded defense contracting space. By leveraging Microsoft's Government Cloud, contractors can ensure their infrastructure meets current compliance standards and is future-proofed against evolving cybersecurity threats.
Redspin, a C3PAO leader in CMMC assessments, is already helping contractors navigate this complex landscape. By integrating Microsoft's Government Cloud with expert guidance, contractors can swiftly ensure they're prepared to meet both 32 CFR and 48 CFR requirements.
About the Author
Dr. Thomas Graham is the VP and CISO at Redspin, a leading Cybersecurity Maturity Model Certification (CMMC) service provider. He is a recognized expert in CMMC and holds multiple certifications, including Certified Assessor (CCA), and CMMC Certified Instructor (CCI). Dr. Graham played a pivotal role in Redspin becoming the first authorized C3PAO and conducting DIBCAC High CMMC assessments under JSVAP. With a Ph.D. in Information Assurance and Security, he oversees internal security matters at Redspin. Dr. Graham's accomplishments include receiving a FedHealthIT award while supporting the Defense Health Agency and speaking at industry events like the National Cyber Summit and ISC2 Security Congress.
Updated Feb 03, 2025
Version 2.0DrThomasGraham_Redspin
Copper Contributor
Joined November 06, 2024
Public Sector Blog
Follow this blog board to get notified when there's new activity