Mitigating Challenges Associated with CMMC Compliance

It’s demanding, however, the Cybersecurity Maturity Model Certification program helps streamline compliance. Here’s what you need to know and do.

istock 1266237519

By Lisa Haywood - Government Cloud & CMMC Global Black Belt, Justin Orcutt - Security Specialist - Aerospace & Defense, Richard Wakeman - Chief Architect - Aerospace & Defense, Paul Meacham - Chief Technical Officer, Aerospace & Defense Manufacturing

Aerospace and Defense Industrial Base (DIB) organizations impacted by the Cybersecurity Maturity Model Certification (CMMC) program are looking for more streamlined ways to achieve proper compliance. With recent changes introduced in CMMC 2.0 back in November 2021, the program is in an evolving stage to meet the demands of improving national security while keeping the costs to the supply chain realistic. In this article, we explore what CMMC is, the updates made for 2.0, and how Microsoft may help organizations accelerate their CMMC journeys.

What is CMMC?

CMMC is an assessment and validation framework developed by the U.S. Department of Defense (DoD) requiring validation of DIB contractor cybersecurity practices when handling certain types of highly sensitive data. CMMC may require formal assessments conducted by independent CMMC 3rd-Party Assessor Organizations (C3PAO) accredited by the CMMC Accreditation Body.

CMMC represents an evolution of DoD efforts to properly safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) processed by the DIB. It introduces stronger accountability for the prime contractors to ensure that appropriate security requirements are met across their supply chain. Primes assemble sub-contractor teams that are validated at the appropriate levels prior to being awarded a contract to demonstrate the resiliency of their supply chain.

It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information. Any breach of a DIB contractor not only poses a risk to national security but also could result in a significant loss to U.S. taxpayers. According to a 2021 report by Cybersecurity Ventures, it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, by 2025, every business in the DIB will be required to validate compliance with CMMC if they want to continue doing business with the Pentagon.

The reasoning for CMMC makes a lot of sense; however, requirements have evolved over the last few months forcing some organizations to rethink their strategy for meeting the requirements of this compliance framework while securing their environments in an expeditious fashion.

What’s Included in CMMC 2.0?

In November 2021, the DoD provided updated information on the direction of the CMMC program. At a high level, these changes included the following:

Once CMMC 2.0 is codified through rulemaking, the DoD will require DIB contractors to adhere to the revised CMMC framework, according to requirements set forth in the regulation. This rulemaking process and timelines can take 9-24 months starting from November 2021.

During a DoD Townhall hosted on February 10, 2022, DoD CISO David McKeown estimated that about 220,000 companies will self-assess at Level 1, while 40,000 will certify via a C3PAO assessment at Level 2, and between 500 and 600 will certify via a DoD assessment at Level 3.

How Microsoft Helps Organizations Prepare for CMMC Compliance

Microsoft has been doing business and partnering with the DoD for four decades, investing in cloud offerings supporting government customers and the supply chain. Whether you are a prime contractor working directly with the DoD, or a smaller sub-contractor, Microsoft 365 US Government plans can provide you with the Modern Work and security solutions you need, but in a segmented and isolated government community cloud (GCC) or even in a network sovereign to the U.S. (GCC High). Additionally, both Azure and Azure Government have FedRAMP High authorizations in place that address security controls related to the safeguarding of FCI and CUI. Microsoft has developed a  to help organizations better understand compliance between our Commercial, Government, and DoD offerings.

We are also actively building our CMMC Acceleration program to provide solutions and resources for both partners and DIB to leverage in their CMMC journey. The goal is to enable our customers and partners to close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. This collection of resources and tools can be leveraged to improve an organization’s security posture and get ready to be assessed.

Some of the key features of Microsoft’s CMMC Acceleration program include:

  • Microsoft Product Placemat for CMMC provides an interactive view representing how Microsoft cloud products and services satisfy requirements and help you demonstrate compliance with CMMC practices.
  • Microsoft Technical Reference Guide for CMMC includes implementation statements for an organization pursuing CMMC while using relevant Microsoft services. This is especially useful when paired with the Product Placemat mentioned above.
  • Compliance Manager is available in both commercial and government environments, which helps organizations manage CMMC requirements with greater ease and convenience by taking inventory of data protection risks, managing the implementation of complex controls, staying up-to-date with regulations and certifications, and more.
  • Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries, Azure resource graph, and policies aligned to CMMC controls across the Microsoft portfolio including Microsoft security offerings, Microsoft 365, Teams, Intune, Windows Virtual Desktop and many more.

Clearly, there are a lot of variables to consider when pursuing CMMC compliance. Microsoft’s goal is to give organizations confidence as they get going on their CMMC journeys by simplifying some of these steps. We encourage DIB vendors to start on this journey early and to work with an advisor that understands the technology being used.

Additionally, as you start to look at specific requirements, consider using a comprehensive platform-based approach rather than a portfolio approach, as you will be able to streamline more easily and get down to fewer vendors. This strategy not only saves time and money, but it is also better integrated with a more holistic coverage of CMMC practices, while giving organizations a unified approach to enhanced security, such as with Zero Trust concepts. A platform approach can also help you reduce the complexity of your system boundaries by giving you the ability to leverage first-party services to achieve compliance requirements.

For more information on how Microsoft can help you accelerate your CMMC journey, please visit our CMMC page and watch this recent webinar.


Copyright © 2022 IDG Communications, Inc.