This article is contributed. See the original author and article here.
This Microsoft Tech Community Public Sector Blog post is an in depth response for the Defense Industrial Base (DIB) regarding compliance with the newly-established Cybersecurity Maturity Model Certification (CMMC) from the U.S. Department of Defense (DoD).
Please note that the information cutoff date for this post is April 2021, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body (CMMC AB) has not formalized guidance for Cloud Service Providers. As a result, the information herein, including our CMMC related offerings, are provisional and may be enhanced to align with future guidance from the DoD and CMMC AB. Microsoft is closely tracking developments related to the CMMC.
Cybersecurity Maturity Model Certification
The Defense Industrial Base (DIB) is subject to a significant number of regulations and standards protecting information systems for national security. Regulations include the Defense Federal Acquisition Regulation Supplement 252.204-7012 (DFARS 7012) mandating the implementation of National Institute of Standards and Technology (NIST) Special Publication 800-171 and U.S. Federal Risk and Authorization Management Program (FedRAMP) Moderate Impact Level for Cloud Service Provider (CSP) hosted cloud solutions.
Historically, the U.S. Department of Defense (DoD) has not required the Defense Industrial Base (DIB) to use independent third parties to audit and certify unclassified non-federal information systems, and instead relied on DIB companies to self-attest to their information protection and cybersecurity status. This precedent is changing as the DoD believes that the cybersecurity posture will be improved by no longer allowing self-attestation of security and compliance. As a result, the DoD is rolling out a new framework called the Cybersecurity Maturity Model Certification (CMMC) requiring periodic audits from independent, CMMC AB certified third-party assessment organizations (C3PAO) beginning in the Winter of 2020. The CMMC builds upon DFARS 7012 and NIST 800-171 while adding a compliance audit and certification requirement. CMMC is the next stage in DoD efforts to properly secure the DIB by measuring and verifying a defense contractor’s ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CUI includes categories of information such as International Traffic in Arms Regulations (ITAR) and Export Controlled data. In addition, CMMC introduces stronger accountability for the prime contractor to assess and manage that appropriate security requirements are met across their supply chain hierarchy including partners, contractors and suppliers. A prime contractor must validate appropriate levels of subcontractor compliance to reinforce security across the supply chain hierarchy prior to contract award.
CMMC certification is a pre-requisite for DoD contract award. CMMC requires an evaluation of the contractor’s technical security controls, process maturity, documentation, policies and processes to ensure security and resiliency. Pursuant to the CMMC framework, the DoD will assign a Maturity Level 1-5 to individual functions of each DoD procurement, starting with basic safeguarding of FCI at Level 1, moving to broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) and nation state activity at Levels 4 and 5. Each level is made up of practices and processes that a contractor must demonstrate to achieve that level of certification. Certification levels will be determined through assessments by C3PAOs with the intent to inform risk to the DoD. After implementation of the CMMC framework, the DoD will assign a maturity level to individual functions of each DoD procurement. These maturity levels will be listed in requests for proposals, or RFPs, and will serve as go/no-go evaluation criteria for the selection of contractors based on the maturity level they have achieved.
Note: The intention of CMMC is not to be a checklist of controls to implement and audit for, but rather serve as a framework for cybersecurity, improving the maturity of an organization as they progress from Level 1 to a Level 5.
CMMC Maturity Progression
Version 1.02 of the CMMC framework released in January 2020. Certification levels in requests for information, or RFIs, will be issued in Winter 2020 and in RFPs starting Spring 2021.
For more information on CMMC, please see https://www.cmmcab.org/cmmc-standard
Certifying with the Microsoft Cloud, how Microsoft products meet CMMC
Existing cybersecurity framework adoption
Microsoft has adopted NIST Special Publication 800-53 to demonstrate compliance with FedRAMP. Over a decade ago, Microsoft rebuilt and grounded its internal compliance frameworks to be based off NIST 800-53. All Microsoft cloud environments and products snap into this framework, streamlining the ability to demonstrate compliance with a multitude of global, government, industry and regional standards, certifications and accreditations. Microsoft clouds are audited bi-annually for NIST 800-53 compliance by a third-party assessment organization (3PAO).
Microsoft has also adopted the NIST Cybersecurity Framework (CSF). NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. The developers of CMMC have used NIST CSF for many of the guidelines incorporated into the CMMC body of work.
Microsoft’s government cloud services meet the demanding requirements of the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements for CSPs that host DoD information, systems, and applications, and for DoD’s use of cloud services. It maps to the DoD Risk Management Framework and NIST 800-37/53. Microsoft has Provisional Authorizations for SRG impact levels 2 through 5, enabling customers to benefit from the rigorous security of the Microsoft Cloud. By deploying services into the US Sovereign Cloud including Azure Government, Microsoft 365 Government GCC High, and Dynamics 365 Government GCC High, customers can use a rich array of services demonstrating compliance at SRG IL4 and IL5.
In addition, Microsoft Government Cloud services help the DIB meet the Defense Federal Acquisition Regulation Supplement (DFARS) requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to CSPs.
While the details are still being finalized by the DoD and CMMC AB, Microsoft is expected to allow some degree of reciprocity with FedRAMP, NIST 800-53, NIST CSF, and the DoD SRG with many of the CMMC security controls mapping directly to controls under these existing cybersecurity frameworks. As a result, Microsoft plans to take advantage of its existing certifications and security controls by demonstrating where customers running on the Microsoft cloud are eligible for any allowed reciprocity and have security controls inherited from the underlying cloud platform. Microsoft is currently mapping its existing cybersecurity controls and certifications with the CMMC controls that correspond with CMMC Levels 1-5 to identify how customers may achieve a program of reciprocity. Microsoft’s goal is to help strengthen cybersecurity across the DIB by continuing to have world-class cybersecurity technology, controls and best practices, and to put its cloud customers in a position to inherit Microsoft’s security controls and eventual CMMC certifications.
What cloud environments meet the requirements for CMMC?
One of the most common questions is, What cloud environments meet the requirements for CMMC? Cybersecurity frameworks are applied to all Microsoft cloud environments consistently across the spectrum of services. Cybersecurity ‘maturity‘ is often represented as the efficacy of process and automation of practices. There are specific control requirements that are unique to each cloud environment. For example, sovereign clouds such as Azure Government have controls in place for restricting access to only screened US persons with data processing and storage only within the Continental United States (CONUS). Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments. Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC. Accordingly, the current intent is to establish a program of reciprocity for all Microsoft cloud-based products and services that are in scope for DIB customers, alongside FedRAMP, NIST 800-53, NIST CSF, DoD SRG, etc.
Note: While commercial environments will be in scope, CMMC by itself will not be the decision factor on choosing which environment is most appropriate. Most DIB companies are best aligned with Azure Government and Microsoft 365 Government GCC High for data handling of Controlled Unclassified Information (CUI). For more information, please refer to:
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings
Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty
Microsoft’s CMMC Acceleration Program, the plan to help customers get certified
Microsoft’s CMMC Acceleration Program is a comprehensive package targeting the improvement of DIB customers’ cybersecurity maturity taking advantage of the inherent compliance native to Microsoft cloud services.
Microsoft is delivering a portfolio of CMMC resources and automated implementation tools custom-tailored to the DIB, providing education, architectural references and support during the adoption of Microsoft cloud services. In addition, Microsoft works closely with trusted partners to implement reference architectures and compliance solutions. For example, Microsoft industry partners may leverage Microsoft’s CMMC Acceleration Program to host pre-configured enclaves compliant with CMMC, DFARS 7012 and NIST 800-171. These solutions will include documentation (e.g., SSP, SAR, etc.) that may be used to significantly reduce the amount of work necessary for certification.
Microsoft’s goal is to provide the scaffolding with a baseline framework for compliance. The Microsoft baseline is expected to significantly close the gap for compliance of infrastructure, applications and services hosted in Microsoft Azure, Microsoft 365 and Dynamics 365. Any resource that is deployed to the enclave will inherit the native controls. Microsoft will work with trusted partners and customers to enable them to close their compliance gap and mitigate risks, assist tenants with their shared customer responsibility, and provide solutions ready for CMMC assessment and certification.
Shared responsibility for compliance
Customers using cloud services lessen their burden for compliance as the cloud represents a shared responsibility between the customer and the cloud service provider (CSP). For example, Microsoft as the CSP manages most controls for physical security and host infrastructure, so customers and partners don’t need to spend resources building and maintaining their own datacenters.
Shared Responsibility Matrix
The graphic above demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with light blue aligning with CSP and dark blue aligning with customer responsibility.
In the context of CMMC, each customer will be responsible for its own certification but are expected to save time, money and other resources leveraging a program of reciprocity and inheriting Microsoft’s existing security controls and certifications.
DIB organization profiles
To help map the value proposition of Microsoft’s CMMC Acceleration Program for DIB organizations, it helps to describe a few organization profiles. While every DIB company is unique, in most cases DIB organizations fall into one of the following three profiles: (1) Small- to medium-sized businesses (SMB); (2) Large DIB corporations; or (3) Moderate DIB organizations.
Greater than 60 percent of DIB companies are Small- to Medium-sized Businesses (SMB), most of which have fewer than 500 employees with little to no IT staff. Most SMBs do not have dedicated cybersecurity staff, such as a Chief Information Security Officer (CISO), or network defenders working in a Security Operations Center. In addition, many DIB SMBs are primarily focused on defense with most of their employee population.
On the opposite end of the spectrum, large DIB corporations make up less than 10% of the DIB sector. They have large and mature IT organizations, with employees dedicated to cybersecurity (e.g. the CISO office). Many large DIB corporations are multinational and have business outside of the U.S. DoD supply chain, but they have formal programs dedicated to trade compliance with the U.S. DoD.
Somewhere in the middle, between SMB and the large DIB corporations exist a whole host of organizations that mix both commercial and defense businesses. These companies may only have a small employee population focused on defense. While they are considered DIB, they likely do not consider themselves Aerospace nor Defense companies. Many commercial companies are an example of this, call them moderate DIB organizations. They have material business with the U.S. DoD along with considerable commitments, but are not necessarily thought of as purely a defense contractor. Moderate DIB organizations may have a separate subsidiary or business unit focused on defense. Or they may be a research institution, such as Federally Funded Research and Development Center (FFRDC) or a University Affiliated Research Center (UARC), many that are part of larger universities across the country.
Dividing the DIB up into these three profiles is of course vastly over-simplifying the myriad of businesses and organizations that make up the DIB sector. However, this supports how Microsoft is approaching the CMMC Acceleration Program.
Microsoft’s CMMC Acceleration Program details
As mentioned earlier, Microsoft will deliver a portfolio of resources and automated implementation tools custom-tailored to the DIB. Microsoft will provide the scaffolding with a baseline for compliance. Microsoft and industry partners will help customers identify and close gaps, supplementing tenant certification efforts with a shared-responsibility model. For example, a customer may retain a Managed Service Provider (MSP) to deploy and govern future CMMC certified enclaves on behalf of customers in Microsoft cloud services. Microsoft will also work with industry partners that may assist DIB organizations in the assessment process, such as documenting System Security Plans (SSP).
Microsoft believes that SMBs will benefit the most as a result of adopting the Microsoft CMMC Acceleration Program. They may adopt the cloud comprehensively and leverage the baseline for compliance provided by Microsoft. Coupled together with an MSP offering, SMBs may have the quickest path to certification.
Note: Any deviation or customization of the pre-configured enclave modeled with the Microsoft CMMC Acceleration Program artifacts may incur added effort on the tenant to document their scope of control responsibility relative to the changes introduced.
Large DIB corporations have a longer journey. Most cannot move their entire IT into the cloud and must certify a much larger spectrum of environments on-premises and in multi-cloud solutions. Many Large DIB Corporations are looking to Microsoft to help their supply chain become compliant. Naturally, many companies in their supply chain are SMB and may take advantage of the Microsoft CMMC Acceleration Program. In addition, DIB prime contractors often have a requirement to procure secure data enclaves. In this context, a secure data enclave is a DIB cloud environment that will be CMMC certified for use with a specific project or mission system. This DIB cloud environment may be hosted in Microsoft cloud services and mirror the deployment an SMB may have, only this is a shared enclave for use by the DIB prime and its supply chain. The Microsoft CMMC Acceleration Program may be used in the construction of these environments.
Note: Microsoft and other CSPs consistently engage and share with DIB working groups to help improve the overall ecosystem. This is beneficial to Large DIB Corporations and the industry at large, especially as CMMC practices are formalized and automated leveraging Microsoft technologies.
Moderate DIB Organizations may also take advantage of the CMMC Acceleration Program for the subsidiaries or business units focusing on defense. However, many Moderate DIB Organizations find it difficult to identify the line of demarcation between the defense business and the rest of the company. If they keep the employee population integrated within the larger organization, it will require CMMC certification of the entire company. That is simply untenable for many commercial enterprises that are not dedicated to defense (e.g., a telecom or automobile manufacturer). The cost of adopting the CMMC framework may be prohibitive. Alternatively, Moderate DIB Organizations may choose to isolate an environment specifically for the defense business. In a similar vein as the SMB managed service environment, or the secure data enclaves, the defense business may be hosted in Microsoft cloud services, inheriting the compliance from Microsoft while segmented from the rest of the company. Depending on implementation, it may only require the defense business to be certified, as opposed to the entire company.
In all three cases, each DIB organization profile may take advantage of the Microsoft CMMC Acceleration Program. Most notably, expected reciprocity between CMMC controls and Microsoft’s native compliance is strategic in evolving the cybersecurity for an agile and resilient defense posture of the organization and providing a program to help facilitate CMMC certification.
For a detailed breakdown of the resources available in the CMMC Acceleration Program, please see Microsoft CMMC Acceleration Program Update – October 2020.
We would love to hear your feedback! Please post comments to this article below.
If you’re interested in learning more or participating in the program, email: firstname.lastname@example.org
New! Microsoft CMMC Acceleration Program Update – October 2020
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings (This One)
The Microsoft 365 Government (GCC High) Conundrum – DIB Data Enclave vs Going All In
Microsoft US Sovereign Cloud Myth Busters – A Global Address List (GAL) Can Span Multiple Tenants
Microsoft US Sovereign Cloud Myth Busters – A Single Domain Should Not Span Multiple Tenants
Microsoft US Sovereign Cloud Myth Busters – Active Directory Does Not Require Restructuring
New! Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.