In 2020, the Department of Defense (DoD) introduced new cybersecurity regulations for government contractors. Known as the Cybersecurity Maturity Model Certification (CMMC), this new security standard is making waves in the industry. By 2025, all organizations that work with the federal government must reach a certain level of CMMC compliance to continue bidding on government contracts.
Soon, CMMC compliance will be the price of entry to do business with the government. As one Nextgov reporter puts it, “Contractors of all shapes and sizes are in a tizzy.”
CMMC certification is available in five ascending levels, with the higher levels having more stringent security controls. Achieving the necessary level of certification isn’t an easy process. The CMMC Accreditation Board (CMMC-AB) recommends six months of prep work and roadmap planning before even attempting the certification audit.
While most organizations will need to connect with professional CMMC compliance experts to move forward, we’ll cover some basic guidance and tips in this article to help organizations like yours with the prep work.
68% of contractors believe getting compliant with CMMC quickly will create competitive advantages.
According to a recent CMMC preparation study, 77% of contractors are pursuing a CMMC level three certification. Only 6% are pursuing higher certification levels.
The biggest complication with level three certification is that it requires strict security for Controlled Unclassified Information (CUI). Most public cloud apps aren’t certified to contain that type of information. To reach CMMC level three, part, if not all, of your organization will have to live in a more secure cloud tenant.
Office 365 Government – GCC High is the Microsoft Azure tenant that’s certified to contain CUI. According to Microsoft, “The Office 365 GCC High and DoD environments deliver compliance with Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS) and International Traffic in Arms Regulations (ITAR).”
The pro strategy here is to segregate part of your business — the parts that deal with controlled unclassified information — and keep them locked within a GCC High environment. The rest of the business can live within a commercial tenant with less strict controls.
The reason to divide the workloads like this is twofold. First, GCC High is expensive — there’s no sense paying premium prices for unnecessary levels of security. Second, the tighter controls in GCC High create limitations that inhibit flexibility. Dividing out your workloads is more economical, easier to manage and places less limitations on your business.
71% of very large contractors (more than 1,000 employees) are taking a divisional approach to CMMC preparation, dividing workloads between public and private cloud.
The official CMMC assessments won’t be available until at least early 2022 since many of the assessors are still in training. In the interim, this waiting period is the perfect opportunity for Organizations Seeking Certification (OSCs) to prep in advance.
For example, Insight’s client, Interactive Process Technologies (IPT) Associates is trying to prepare as much as possible now so they’ll have less to worry about when it’s time to perform the official assessment. Using certain tools in the Microsoft stack, we can anticipate what the audit will cover and make improvements now to address any gaps or deficiencies in IPT’s security ecosystem.
There are tools within the Microsoft 365 portfolio that can help you prepare for your CMMC audit. For example, you can complete your own assessments for CMMC levels one, two or three using Microsoft Compliance Manager. Although the assessments aren’t cheap, they’re comprehensive, addressing both the technical side of your environment, as well as your processes and procedures.
You should also leverage Microsoft Secure Score to pinpoint the maturity level of your security. The higher your Secure Score, the stronger your security posture. As you endeavor to get the highest score possible, there are three basic categories to keep in mind: identity, devices and applications. Each plays a crucial role in your security posture. Having things like identity protection, controlled access policies, device compliance, geolocation monitoring, application management and data loss prevention policies will raise your maturity score.
By combining the assessments of Compliance Manager with the rating system in Secure Score, you can get an accurate account of your organization’s security posture. If you can close the gaps identified in your assessments and get yourself a high Secure Score number, you'll be very close to meeting the requirements for CMMC level two.
After using this method for IPT, Chief Operating Officer Jon Katz tells us he’s feeling quite confident now that he has visibility into how his organization’s security measures up. He’s confident IPT will easily reach CMMC level two with these results. While this method sets companies up for CMMC level two success, more is needed for level three certification. In Katz’s case, we'll be moving certain elements of IPT’s business into a GCC High tenant for greater security control.
First, you should find a trusted advisor to serve as your Registered Provider Organization (RPO). The RPO provides consulting expertise to guide organizations toward CMMC compliance. Because an RPO isn’t permitted to provide IT services themselves, they’ll work with an IT partner like Insight to implement all the technologies and services needed to improve your security posture. This could include upgrading and reconfiguring your software applications, devices, policies, protections and whatever else you may need based on the RPO’s guidance.
These changes will have a significant impact on your Secure Score. In IPT's case, the company to us with a Secure Score around 21% to 27%. With the changes we’ve implemented, IPT is now pushing 90%. Hear more about how we did that in this video interview with Katz.
According to the CMMC-AB, getting pre-assessment guidance from an RPO is optional. If your organization is comfortable with CMMC standards, you can jump straight into technology and process improvements with an IT partner like Insight. Or, if your Secure Score is already at a high level and you’re confident in your organization’s current security standing, you could skip straight to the next step — contacting a Certified 3rd Party Assessment Organization (C3PAO) to schedule your assessment.
Of course, you want to be as prepared as possible for your assessment since the process is extensive (and presumably not cheap). The value in having an RPO lies in being set up for success before you begin the audit process.
The process touched on above is still developing. Most assessors are still in training themselves, so it’s hard to say what the final audits will look like or if the process might change in the future. The first official audits won’t be sanctioned until at least the start of 2022, making the remaining months of 2021 the perfect time to get prepared.
Regardless of how everything shakes out with this certification process, the fact of the matter is there’s never been a more crucial time to invest in security and compliance. Maybe more of a concern than just evolving compliance regulations right now is the threat of ransomware. Even if your environments are exclusively in the cloud, that doesn't preclude the ransoming of your SharePoint sites or Office 365 environment. So there’s real value in shoring up your security posture today, regardless of CMMC requirements.