This Microsoft Tech Community Public Sector Blog post is an in depth response for the Defense Industrial Base (DIB) regarding compliance with the newly-established Cybersecurity Maturity Model Certification (CMMC) from the U.S. Department of Defense (DOD). This post is a follow-up to the CMMC Announcement by Lily Kim.
*Please note that the information cutoff date for this post is October 2020, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body (CMMC AB) has not identified nor certified any third-party assessors, nor issued prescriptive guidance on the formal assessment process and criteria. As a result, the information herein, including our CMMC related offerings, may be enhanced to align with future guidance from the DoD and CMMC AB. Microsoft is closely tracking developments related to the CMMC.
The Defense Industrial Base (DIB) is subject to a significant number of regulations and standards protecting information systems for national security. Regulations include the Defense Federal Acquisition Regulation Supplement 252.204-7012 (DFARS 7012) mandating the implementation of National Institute of Standards and Technology (NIST) Special Publication 800-171 and U.S. Federal Risk and Authorization Management Program (FedRAMP) Moderate Impact Level for Independent Software Vendor (ISV) hosted cloud solutions.
Historically, the U.S. Department of Defense (DoD) has not required the Defense Industrial Base (DIB) to use independent third parties to audit and certify unclassified non-federal information systems, and instead relied on DIB companies to self-attest to their information protection and cybersecurity status. This precedent is changing as the DoD believes that the cybersecurity posture will be improved by no longer allowing self-attestation of security and compliance. As a result, the DoD is rolling out a new framework called the Cybersecurity Maturity Model Certification (CMMC) requiring periodic audits from independent, certified third-party assessment organizations (C3PAO) beginning as early as this summer of 2020. The CMMC builds upon DFARS 7012 and NIST 800-171 while adding a compliance audit and certification requirement. CMMC is the next stage in DoD efforts to properly secure the DIB by measuring and verifying a defense contractor’s ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CUI includes categories of information such as International Traffic in Arms Regulations (ITAR) and Export Controlled data. In addition, CMMC introduces stronger accountability for the prime contractor to assess and manage that appropriate security requirements are met across their supply chain hierarchy including partners, contractors and suppliers. A prime contractor must validate appropriate levels of subcontractor compliance to reinforce security across the supply chain hierarchy prior to contract award.
CMMC certification is a pre-requisite for DoD contract award. CMMC requires an evaluation of the contractor’s technical security controls, process maturity, documentation, policies and processes to ensure security and resiliency. Pursuant to the CMMC framework, the DoD will assign a Maturity Level 1-5 to individual functions of each DoD procurement, starting with basic safeguarding of FCI at Level 1, moving to broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) and nation state activity at Levels 4 and 5. Each level is made up of practices and processes that a contractor must demonstrate to achieve that level of certification. Certification levels will be determined through audits by C3PAOs with the intent to inform risk to the DoD. After implementation of the CMMC framework, the DoD will assign a maturity level to individual functions of each DoD procurement. These maturity levels will be listed in requests for proposals, or RFPs, and will serve as go/no-go evaluation criteria for the selection of contractors based on the maturity level they have achieved.
Note: The intention of CMMC is not to be a checklist of controls to implement and audit for, but rather serve as a framework for the DIB to have critical thinking skills for cybersecurity, improving the maturity of an organization as they progress from Level 1 to a Level 5.
CMMC Maturity Process Progression
Version 1.0 of the CMMC framework released in January 2020. Certification levels in requests for information, or RFIs, will be issued in June 2020 and in RFPs starting Fall 2020.
For more information on CMMC, please see the CMMC v1.0 Public Briefing
Microsoft has adopted NIST Special Publication 800-53 to demonstrate compliance with FedRAMP. Over a decade ago, Microsoft rebuilt and grounded its internal compliance frameworks to be based off NIST 800-53. All Microsoft cloud environments and products snap into this framework, streamlining the ability to demonstrate compliance with a multitude of global, government, industry and regional standards, certifications and accreditations. Microsoft clouds are audited bi-annually for NIST 800-53 compliance by a third-party assessment organization (3PAO).
Microsoft has also adopted the NIST Cybersecurity Framework (CSF). NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. The developers of CMMC have used NIST CSF for many of the guidelines incorporated into the CMMC body of work.
While the details are still being finalized by the DoD and CMMC AB, Microsoft is expected to allow some degree of reciprocity with FedRAMP, NIST 800-53 and NIST CSF, and many of the CMMC security controls map directly to controls under these existing cybersecurity frameworks. As a result, once C3PAOs are accredited by the CMMC AB, Microsoft plans to take advantage of its existing certifications and security controls by demonstrating to C3PAOs where Microsoft is eligible for any allowed reciprocity or have security controls that map directly to CMMC. Ultimately, Microsoft is confident in its cybersecurity posture and is closely following guidance from DoD and the CMMC AB in order to be able to demonstrate its compliance to the C3PAOs. Microsoft is currently mapping its existing cybersecurity controls and certifications with the CMMC controls that correspond with CMMC Levels 1-5 to identify and address any gaps that may exist. Microsoft’s goal is to help strengthen cybersecurity across the DIB by continuing to have world-class cybersecurity technology, controls and best practices, and to put its cloud customers in a position to inherit Microsoft’s security controls and eventual CMMC certifications. In so doing, Microsoft will move quickly to be evaluated once C3PAOs are accredited and approved to begin conducting assessments.
One of the most common questions is, What cloud environments will be certified? Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity 'maturity' is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to achieve certification for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DISA SRG, etc.
Note: While commercial environments will be certified, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 GCC High for data handling of CUI. For more information, please refer to Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings
Microsoft’s CMMC Acceleration Program is a comprehensive package targeting the improvement of DIB customers’ cybersecurity maturity, developing cyber critical thinking skills while taking advantage of the inherent compliance native to Microsoft cloud services.
Microsoft will deliver a portfolio of learning resources and automated implementation tools custom-tailored to the DIB, providing education, architectural references and support during the adoption of Microsoft cloud services. In addition, Microsoft works closely with trusted partners to implement reference architectures and compliance solutions. For example, once CMMC certification is achieved, Microsoft industry partners may leverage Microsoft’s CMMC Acceleration Program to host pre-configured enclaves compliant with CMMC, DFARS 7012 and NIST 800-171. These solutions will include documentation (e.g., SSP, SAR, etc.) that may be used to significantly reduce the amount of work necessary for certification.
Microsoft’s goal is to provide the scaffolding with a baseline framework for compliance. The Microsoft baseline is expected to significantly close the gap for compliance of infrastructure, applications and services hosted in Microsoft Azure, Microsoft 365 and Dynamics 365. Any resource that is deployed to the enclave will inherit the native controls. Microsoft will work with trusted partners and customers to enable them to close their compliance gap and mitigate risks, assist tenants with their shared customer responsibility, and provide solutions ready for CMMC audit and certification.
The timing for the release of the Microsoft CMMC Acceleration Program is subject to several variables, to include the certification of Microsoft products. The intent is to release the Microsoft CMMC Acceleration Program after Microsoft product assessments have been completed.
Customers using cloud services lessen their burden for compliance as the cloud represents a shared responsibility between the customer and the cloud service provider (CSP). For example, Microsoft as the CSP manages most controls for physical security and host infrastructure, so customers and partners don’t need to spend resources building and maintaining their own datacenters.
Shared Responsibility Matrix
The graphic above demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with light blue aligning with CSP and dark blue aligning with customer responsibility.
In the context of CMMC, Microsoft is closely tracking guidance and developments from the DoD and CMMC AB and posturing to be prepared and evaluated by the C3PAO once they are accredited, with a goal of achieving CMMC certification. While each customer will be responsible for its own certification, Microsoft’s cloud tenants expect to save time, money and other resources by inheriting Microsoft’s existing security controls and certifications.
To help map the value proposition of Microsoft’s CMMC Acceleration Program for DIB organizations, it helps to describe a few organization profiles. While every DIB company is unique, in most cases DIB organizations fall into one of the following three profiles: (1) Small- to medium-sized businesses (SMB); (2) Large DIB corporations; or (3) Moderate DIB organizations.
Greater than 60 percent of DIB companies are small- to medium-sized businesses (SMB), most of which have fewer than 500 employees with little to no IT staff. Most SMBs do not have dedicated cybersecurity staff, such as a Chief Information Security Officer (CISO), or network defenders working in a Security Operations Center. In addition, many DIB SMBs are primarily focused on defense with most of their employee population.
On the opposite end of the spectrum, large DIB corporations make up less than 10% of the DIB sector. They have large and mature IT organizations, with employees dedicated to cybersecurity (e.g. the CISO office). Many large DIB corporations are multinational and have business outside of the U.S. DoD supply chain, but they have formal programs dedicated to trade compliance with the U.S. DoD.
Somewhere in the middle, between SMB and the large DIB corporations exist a whole host of organizations that mix both commercial and defense businesses. These companies may only have a small employee population focused on defense. While they are considered DIB, they likely do not consider themselves Aerospace nor Defense companies. Many commercial companies are an example of this, call them moderate DIB organizations. They have material business with the U.S. DoD along with considerable commitments, but are not necessarily thought of as purely a defense contractor. Moderate DIB organizations may have a separate subsidiary or business unit focused on defense. Or they may be a research institution, such as Federally Funded Research and Development Center (FFRDC) or a University Affiliated Research Center (UARC), many that are part of larger universities across the country.
Dividing the DIB up into these three profiles is of course vastly over-simplifying the myriad of businesses and organizations that make up the DIB sector. However, this supports how Microsoft is approaching the CMMC Acceleration Program.
As mentioned earlier, Microsoft will deliver a portfolio of learning resources and automated implementation tools custom-tailored to the DIB. Microsoft will provide the scaffolding with a baseline for compliance. Microsoft and industry partners will help customers identify and close gaps, supplementing tenant certification efforts with a shared-responsibility model. For example, a customer may retain a managed service partner (MSP) to deploy and govern future CMMC certified enclaves on behalf of customers in Microsoft cloud services. Microsoft will also work with industry partners that may assist DIB organizations in the audit process, such as documenting System Security Plans (SSP).
Microsoft believes that SMBs will benefit the most as a result of adopting the Microsoft CMMC Acceleration Program. They may adopt the cloud comprehensively and leverage the baseline for compliance provided by Microsoft. Coupled together with an MSP offering, SMBs may have the quickest path to certification.
Note: Any deviation or customization of the pre-configured enclave modeled with the Microsoft CMMC Acceleration Program artifacts may incur added effort on the tenant to document their scope of control responsibility relative to the changes introduced.
Large DIB corporations have a longer journey. Most cannot move their entire IT into the cloud and must certify a much larger spectrum of environments on-premises and in multi-cloud solutions. Many Large DIB Corporations are looking to Microsoft to help their supply chain become compliant. Naturally, many companies in their supply chain are SMB and may take advantage of the Microsoft CMMC Acceleration Program. In addition, DIB prime contractors often have a requirement to procure secure data enclaves. In this context, a secure data enclave is a DIB cloud environment that will be CMMC certified for use with a specific project or mission system. This DIB cloud environment may be hosted in Microsoft cloud services and mirror the deployment an SMB may have, only this is a shared enclave for use by the DIB prime and its supply chain. The Microsoft CMMC Acceleration Program may be used in the construction of these environments.
Note: Microsoft and other CSPs consistently engage and share with DIB working groups to help improve the overall ecosystem. This is beneficial to Large DIB Corporations and the industry at large, especially as CMMC practices are formalized and automated leveraging Microsoft technologies.
Moderate DIB Organizations may also take advantage of the CMMC Acceleration Program for the subsidiaries or business units focusing on defense. However, many Moderate DIB Organizations find it difficult to identify the line of demarcation between the defense business and the rest of the company. If they keep the employee population integrated within the larger organization, it will require CMMC certification of the entire company. That is simply untenable for many commercial enterprises that are not dedicated to defense (e.g., a telecom or automobile manufacturer). The cost of adopting the CMMC framework may be prohibitive. Alternatively, Moderate DIB Organizations may choose to isolate an environment specifically for the defense business. In a similar vein as the SMB managed service environment, or the secure data enclaves, the defense business may be hosted in Microsoft cloud services, inheriting the compliance from Microsoft while segmented from the rest of the company. Depending on implementation, it may only require the defense business to be certified, as opposed to the entire company.
In all three cases, each DIB organization profile may take advantage of the Microsoft CMMC Acceleration Program. Most notably, expected reciprocity between CMMC controls and Microsoft’s native compliance is strategic in evolving the cybersecurity for an agile and resilient defense posture of the organization and providing a program to help facilitate CMMC certification. There are several artifacts that will be generated by automated implementation tools, to include:
Microsoft has already delivered many of the components for Microsoft’s CMMC Acceleration Program in Azure Infrastructure-as-a-Service (IaaS) and Azure Platform-as-a-Service (PaaS). For example, Microsoft recently released the Azure Blueprint for NIST SP 800-53 R4 in Azure Government. The blueprint maps a core set of Azure Policy definitions to specific NIST 800-53 controls. Given NIST 800-53 is a superset of the controls required for NIST 800-171, and ultimately for CMMC Level 3, Azure already has a head start in delivering a reference architecture for DIB deployments of Azure IaaS and PaaS.
As you can imagine, the customer responsibility for compliance is greater for IaaS and PaaS as compared to SaaS where more of the controls are managed by Microsoft. Microsoft 365, including the Office 365 suite, has a broader scope of responsibility to demonstrate compliance. Look for an article from the Chief Compliance Architect of Office 365 engineering, Shawn Veney. It will be posted to this same blog shortly after this publication.
For more information, please review my compliance blogs found here:
We would love to hear your feedback! Please post comments to this article below.
If you’re interested in learning more or participating in the program, email firstname.lastname@example.org.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.