For organizations doing business with the United States’ Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) is a hot topic of conversation. CMMC ensures that Department of Defense (DoD) contractors and subcontractors implement robust cybersecurity measures to protect sensitive information, like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats while setting rigorous standards for data protection.
Making sense of the complex requirements
CMMC program requirements apply to all DoD solicitations and contracts for which a defense contractor or subcontractor will process, store or transmit FCI or CUI on its unclassified contractor information systems. The CMMC model defines streamlined levels of compliance:
- Level 1 (Foundational): Focuses on basic cybersecurity hygiene practices.
- Level 2 (Advanced): Aligns with NIST SP 800-171 standards and includes 110 security practices.
- Level 3 (Expert): Targets the most security-conscious contractors and aligns with NIST SP 800-171 plus 24 additional controls from NIST SP 800-172.
Recent CMMC updates have focused on Supplier Performance Risk System (SPRS) scoring and how contractors are meeting their respective level requirements. For the least risky organizations, level one is a simple met or not met status. Levels 2 and 3, however, are more complex and we suggest that any organization required to obtain these maturity levels begin now to establish a technical boundary that will simplify both how data is managed and governed within the organization and its contractors.
The steps below outline how Protiviti best assists clients with compliance preparation.
Build an enclave/architecture with Microsoft tools
In a recent webinar Protiviti conducted with Microsoft, we discussed our approach to helping organizations confidently prepare to meet evolving CMMC requirements. We know that the most common errors companies make are often not related to their technologies but to the processes used in those technologies.
The common areas of failure we see range from properly marked CUI to encryption of CUI with a FIPS validated algorithm (140-1 and 140-2). Implementation of multifactor authentication (MFA) is a showstopper control, but is also, fortunately, a non-issue for most. We also see organizations neglecting system security plans (SSP) with boundary definitions and not factoring in 180 days to remediate POA&M items, which is critical to maintaining compliance. Deadlines are more stringent now as the prior, more generous, three-year remediations are a thing of the past.
To minimize disruption of the existing environment, we typically recommend building an enclave, a targeted environment designed to present the smallest footprint possible, which means it’s the smallest possible attack surface and the most efficient to manage. In its ideal state, the enclave handles all the organization’s CUI and is not tied to any other infrastructure within the organization’s current environment. This new environment provides a well-defined boundary. By leveraging Microsoft cloud-based solutions including Microsoft 365 Government Community Cloud High (GCC High), Azure Government, and the Microsoft Defender suite, all tailored to meet the stringent requirements of CMMC compliance, the stand-up and operation of an enclave is streamlined.
Understanding the organization’s business processes and what employees do day-to-day is key to making good decisions in designing the enclave.
Security readiness
Through our CMMC compliance work, we’ve developed a set of foundational practices around kickstarting your security readiness. These factors are critical to consider and implement when making architectural design decisions. Foundational practices include:
- Leverage Azure policy from the start and revisit with each deployment, even during the early builds.
- Communicate with application and system architects about the reduced availability of services within Azure Gov versus Azure Commercial and their impact on any custom developed applications.
- Validate that every Azure service planned to be consumed is available in the targeted Azure region, as well as Azure Gov.
- Validate that every third-party security integration is current on the FedRAMP marketplace.
- Enforce role-based access control (RBAC) early in the enclave development to prevent rework when other teams “fix” their inability to do something due to a newly implemented control.
- Third party tools for EDR/IPS/WF/DLP, etc. should go through vigorous evaluation to ensure compatibility with Azure Gov, the organization’s compliance requirements and expected use cases.
- Design workloads using composable architecture so that components may be updated in small, reversible increments.
Additionally, when building a new environment, include data classification and other elements into tagging so that incorporation of Zero Trust elements is easier and allows the organization to avoid repeating past errors.
Achieving CMMC compliance can feel daunting, but we believe leveraging Microsoft’s cloud-based solutions simplifies the path to achieving and maintaining compliance, enabling any organization functioning as a government contractor to focus on the core mission of supporting national defense.
To learn more about CMMC and our Microsoft consulting services, contact us.
