In January of this year, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification or CMMC. This new maturity model defines five levels of increasing maturity and will require all defense contractors, both Primes and Subs, to comply with one of the five levels and attain independent verification of compliance prior to contract award. In an ongoing effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC is a significant change for DoD acquisition, cybersecurity, and policy. For small businesses in the defense industrial base, the challenge is potentially insurmountable.
Having partnered with the DoD as part of the Defense Industrial Base Cybersecurity Initiative since its inception, first as a Chief Information Security Officer with one of the largest DoD contractors and now as CEO of CyberSheath, the foremost Managed CMMC compliance provider, I have seen every side of this compliance problem and understand what works and what doesn’t. Because of this, I am often asked, “How can I meet CMMC requirements?” My answer is always the same, “Hire a great Managed Compliance partner and use Microsoft technologies.” If you only use internal resources, you will inevitably fall short somewhere on the security, technical, or policy expertise required. If you try to use multiple technologies from different vendors, you will have more tools than you can support, possibly achieving compliance and assuredly weakening security. This blog details what Managed Compliance looks like in the context of CMMC.
So, why Microsoft for CMMC?
Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government's mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DoD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DoD have enabled them to provide resources that will enable your journey to CMMC compliance.
Here are three resources to get you started on your journey to CMMC compliance:
Shared Responsibility Model
CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premise, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?
Very few MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is one of the few to build our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a breakdown of how CMMC has been 13 years in the making.
CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.
Azure Blueprints
Azure Blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.
Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.
The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST SP 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.
Office 365 GCC High and DoD
As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DoD working to protect this information.
To meet the unique and evolving requirements of DoD and contractors holding or processing DoD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Microsoft GCC High and DoD meet the compliance requirements for the following certifications and accreditations:
- The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
- The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).
DoD Office 365 subscribers will receive services provided from the DoD exclusive environment that meets DoD SRG L5. Non-DoD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but has L4 equivalency.
There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DoD in addressing this challenge.
CMMC mandates minimum cybersecurity standards for 300,000 plus commercial defense contractors around the globe and makes compliance part of the acquisition process, preventing contract award until an independent third-party has verified compliance. Given the magnitude of this change and the revenue impacting consequences of non-compliance, we choose Microsoft for our CMMC Managed Services Customers.
Additional information
CMMC Con
For additional information on Microsoft’s CMMC acceleration, join Microsoft’s RichardWakeman , Senior Director of Aerospace & Defense for Azure Global, on November 1th at CMMC Con 2020. Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance. Visit www.cmmccon2020.com to learn more.
CMMC companion
You can download our CMMC Companion guide with Everything you need to know about achieving NIST 800-171 and CMMC compliance as a contractor in the Defense Industrial Base here.
About the Author
Eric is Chief Executive Officer (CEO) for CyberSheath Services International, LLC (CyberSheath) and is a respected cybersecurity expert having testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities and served on the Council on Cyber Security expert panel to review and update the Critical Security Controls. Prior to founding CyberSheath, Eric was the Global Chief Information Security Officer for BAE Systems plc, based in London. Concurrently Eric served as Vice President and General Manager of North American IT operations, overseeing engineering, architecture, and IT operations support for approximately 39,000 employees. Eric has an MBA from the University of Maryland and a B.S. with honors in Information Technology Management from Daniel Webster College. He holds numerous technical and professional certifications including Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).