In 2020, the US Department of Defense (DoD) began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base (DIB). This new Cybersecurity Maturity Model Certification1 (CMMC) system requires regular audits that will bolster the security of the DIB, which comprises approximately 350,000 commercial companies producing everything from Abrams tanks, satellites, and Reaper drones down to laptop computers, uniforms, food rations, medical supplies, and much more.
It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures2, it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program and leverage these resources to get started on your compliance journey.
How does CMMC work?
While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity “maturity”—the efficacy of process and automation of practices—ranging from “basic” to “advanced.”
Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.
Figure 1: The five levels of CMMC.
- Level 1 certification primarily involves people and processes and is required for any company that deals with FCI not intended for public release. Most DIB suppliers will land in this category. Level 1 aligns best with commercial clouds.
- Level 3 is required for any company that handles CUI or is bound by International Trade in Arms Regulations (ITAR)—roughly 50,000 DIB contractors. However, market pressure may see some companies certify to Level 3 just for a competitive edge. Level 3 aligns best with government clouds.
- Level 5 is required for only a small segment of DIB contractors that are most likely to be targeted by advanced persistent threats (APT) and nation-state activity. Level 5 aligns best with government clouds.
Levels 2 and 4 are considered transitional; it’s not expected that contracts will require them.
In September 2021, the DoD will be overseeing 75 pilot contracts adhering to CMMC. By the same time in 2023, that number will reach 250, then up to 479 pilot contracts in 2024. By October 2025, every business in the DIB must be compliant with CMMC.
Microsoft knows compliance
Microsoft has been doing business with the DoD for four decades. Of the 350,000 companies in the DIB, 80 percent are small-to-medium-sized businesses (SMB). So, whether you’re a prime contractor working directly with the DoD, or a smaller subcontractor, Microsoft Office 365 Government plans can provide your business with all the features of Office 365 you expect—but in a segmented government community cloud (GCC). Plus, Microsoft lightens the burden of compliance by encrypting your data and enforcing strict access controls for employees, vendors, and subcontractors.
Microsoft Office 365 Government – GCC High is a sovereign cloud platform located in the Contiguous US (CONUS) that complies with US government requirements for cloud services. Office 365 Government – GCC High is designed specifically for use by the DoD and DIB, requiring that organizations be validated before they can deploy to this cloud. Along with all the expected features and capabilities of Office 365, deploying to GCC High ensures:
- Your content is logically segregated from customer content in commercial Office 365 services.
- Your organization’s content is stored within the US.
- Access to DIB content is restricted to screened Microsoft personnel who have passed rigorous background checks.
- Your cloud deployment complies with certifications and accreditations that are required for US public sector customers.
Microsoft Azure Government is a sovereign CONUS cloud platform that also offers hybrid flexibility—customers can maintain some data and functionality on-premises while enabling the broadest level of certifications of any cloud provider. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled only by screened US citizens.
Figure 2: Microsoft 365 Government + Azure Government compliance.
Though different cloud platforms may have a level of cybersecurity maturity in alignment with CMMC, Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government – GCC High in alignment with CMMC Levels 3 through 5. Microsoft Consulting Services can help you decide on the right platform to enable CMMC compliance for your organization.
Microsoft CMMC Acceleration Program
To help speed your journey to CMMC compliance, our CMMC Acceleration Program provides resources for partners and DIB companies alike. Our goal is to provide a baseline framework that can help close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. We work with partners and customers to help them mitigate risks and assist tenants with their shared customer responsibility, as well as provide solutions for assessment and certification.
Recent updates to Microsoft CMMC Acceleration Program include:
- Microsoft Product Placemat for CMMC: an interactive view representing how Microsoft cloud products and services satisfy requirements for CMMC practices.
- Azure Sentinel CMMC Workbook: provides a mechanism for viewing Microsoft Azure Sentinel log queries from across your Azure environment—Office 365, Teams, Intune, Windows Virtual Desktop, and more—helping you gain better visibility into your cloud architecture while reinforcing CMMC principles across all five maturity levels.
- Compliance Manager available in commercial and government cloud environments: helps organizations manage CMMC compliance requirements with greater ease and convenience, from taking inventory of data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
- Azure Policy and blueprint sample for CMMC Level 3: Azure Policy and Azure Blueprints allow organizations to easily establish compliant environments via a centrally managed policy initiative. This helps avoid misconfigurations while practicing consistent resource governance.
- Quickly deploy DoD STIG-compliant images and visualize compliance using Azure: Security Technical Implementation Guides (STIGs) are secure configuration standards for installation and maintenance of DoD Information Assurance (IA)-enabled devices and systems. The Azure team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. Use these quickstart resources.
- Azure Blueprint for Azure Security Benchmark Foundation: enables developers and security administrators to create hardened environments for their application workloads, helping to implement Zero Trust controls across identities, devices, applications, data, infrastructure, and networks.
No provider can guarantee a positive adjudication, but Microsoft’s CMMC Acceleration Program can help improve your CMMC posture going into a formal review in accordance with CMMC Accreditation Body (AB) standards.
Zero Trust is key to CMMC
Microsoft is experienced in facilitating Zero Trust architectures in federal frameworks, a concept that’s critical to preventing attackers from elevating access within your environment. Zero Trust is built around three basic principles: verify, based on all available data points; use least-privileged access with just-in-time and just-enough-access (JIT/JEA); and assume breach to minimize blast radius and prevent lateral movement. Microsoft employs several references for implementing Zero Trust in federal information systems, including the National Institute of Standards and Technology (NIST) SP 800-207, Trusted Internet Connections (TIC) 3.0, and Continuous Diagnostics and Mitigation (CDM). We view these principles as technology-agnostic and apply them across endpoints, on-premises systems, cloud platforms, and operational technology (OT).
The Azure Sentinel: Zero Trust (TIC 3.0) Workbook provides an overlay of Microsoft security offerings onto Zero Trust models, enabling security analysts and managed security service providers (MSSPs) to gain awareness of their cloud security posture. This workbook features more than 76 control cards aligned to TIC 3.0 security capabilities and can augment security operations center (SOC) efforts through automation, AI, machine learning, query/alerting, visualizations, tailored recommendations, and documentation references. Each panel aligns to a specific control, providing an actionable path to help cover gaps and improve alerting, even incorporating third-party security solutions.
If your organization is interested in pursuing contracts with the DoD or its suppliers, it’s in your interest to be proactive about cybersecurity maturity. To learn more about how Microsoft can help your organization improve your compliance standing, visit our new CMMC homepage.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Cybersecurity Maturity Model Certification, CMMC Accreditation Body.
22021 Report: Cyberwarfare in the C-Suite, Cybersecurity Ventures, 21 January 2021.