For many Defense Industrial Base (DIB) Organizations Seeking Certification (OSCs), the path to achieving a CMMC certification could consist of constructing a completely new IT environment or reconstructing an existing one. If executed improperly, choosing a technical design for CMMC 2.0 compliance can prove to be costly for the organization in both resources and desired outcomes. In this blog, we're going to answer this question - based on your data flow and asset inventory, what technical solutions can you adopt to become CMMC 2.0 compliant?
As the makeup of information systems trends towards virtualization, many small-medium sized contractors are choosing to stand up information systems in the cloud instead of on-premises. Opting for SaaS, PaaS, and IaaS solutions in favor of the traditional on-premises infrastructure is a healthy approach because of lower overhead costs and the ability to save money in the long run; however, this decision is often made without appropriate considerations. Aerospace and defense contractors should be asking themselves as well as their cloud providers the following questions:
- Does this cloud solution adhere to my contractual requirements?
- Does this solution provide the necessary protections for my applicable assets?
- Is my cloud provider and/or cloud application compliant?
DFARS 7012 and The Cloud
Spoiler alert: if an organization has a prime contract with the Department of Defense (DoD) and Controlled Unclassified Information (CUI) is involved, then it currently has a DFARS 252.204-7012 contractual clause. If you are a subcontractor to the prime on the contract, DFARS 7012 Paragraph M specifies these requirements are to be flowed down to you via the subcontracting agreement. This means that in addition to meeting security requirements for the information system (NIST SP 800-171), the organization must also only acquire Cloud Service Offerings (CSOs) that:
- Are authorized at the FedRAMP Moderate security baseline or demonstrate equivalency to an authorized 3rd Party Assessment Organization (3PAO) as per DFARS 7012 Paragraph B.
- Can meet the incident response, incident reporting, malicious software, media preservation, forensic analysis, and after-action capabilities dictated by DFARS 7012 Paragraphs C-G.
For the most part, these are the blueprint requirements any organization contracting with the government should follow when purchasing a CSO. If companies have identified that the contract language and data handled by the organization have additional safeguarding and distribution requirements (ITAR/EAR, NOFORN, etc.), then the organization will be required to purchase a CSO capable of meeting those requirements in addition to the baselines established via DFARS 7012.
What is FedRAMP and Why Does It matter?
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP Moderate security baseline consists of 325 security and privacy controls which an organization must not only implement but be assessed against in order to obtain their FedRAMP authorization. The moderate baseline is designed to protect data that is not considered publicly available, such as the case with (CUI). Over 80% of all FedRAMP-authorized CSOs have been authorized to the moderate security baseline.
Some of the Cloud Service Offerings that meet this criterion can be found on the FedRAMP Marketplace.
Many cloud application vendors are under the impression that since their application is hosted in Azure Government or AWS Government that it, by proxy, makes their full application FedRAMP compliant too - this is an incorrect assumption. The organization’s application also needs to go through the FedRAMP approval process and be officially listed in the FedRAMP marketplace.
In order to meet DFARS 7012 requirements of FedRAMP Moderate equivalent, they will need to have a 3PAO (FedRAMP Assessor) verify they have met the requirements, and in turn, be able to show Cyber AB C3PAOs how they are meeting those requirements.
One more point of clarity: a FedRAMP “3PAO” and a Cyber AB "C3PAO" are not the same thing.
Types of CUI and your CSOs
The DoD CUI program was designed to provide safeguarding measures for all CUI. In total, there are 125 categories of CUI found in the NARA CUI Registry, with many of them adequately protected by a CSO capable of meeting DFARS 7012 requirements. There are, however, a few sub-categories that require additional safeguards to be put in place by the organization.
Export Controlled Data (ITAR) and CMMC
One of the specified CUI types that DIB contractors may handle is export-controlled (CUI//SP-EXPT); data related to International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) are classified as types of export-controlled specified CUI. When these types of data are present in the information system, the organization must select a CSO that allows the organization to control the physical locations in which the data is stored and limit the exposure of data to only US citizens.
Most companies with ITAR data will have the requirement called out in a contract with either a Prime Contractor or in a contract with the US Government itself. Beyond that, if you have anything to do with any item, technical data or content on this list, you need to be ITAR compliant.
Paragraph b in 7012 requires that contractors maintain adequate security to their information cloud services- adequate security being defined as a FedRAMP moderate authorization or equivalent. Because the Google Cloud Platform has a FedRAMP High Authorization, it exceeds the requirements to satisfy this paragraph of the requirement. While the official Google Cloud compliance documentation states that Google can satisfy the requirements surrounding ITAR/EAR, there are caveats and dependencies associated with their ability to be compliant for DoD contractors. It is dependent on the deployment of assured workloads.
Without deploying Google Assured Workloads, an organization is incapable of fulfilling the remaining paragraphs defined in 7012. Assured workloads are the only way organizations can receive the benefits of the Google DoD Impact Level 4 (IL4) authorization. These missing benefits are required to fulfill the incident response, incident reporting, malicious software, media preservation, and forensic analysis requirements found in paragraphs c-g of the DFARS 7012 clause.
Is Google Workspace CMMC / NIST 800-171 compliant?
Google has obtained a letter of attestation for NIST 800-171 requirements from an authorized 3rd Party Assessment organization (3pAO) to verify the platform's ability to operate within the compliance requirements found within NIST 800-171. Satisfying CMMC 2.0 / NIST 800-171 requirements with Google Workspace is possible but is dependent on the organization's ability to compensate for the identified control deficiencies listed in this blog.
Amazon Web Services (AWS)
Like the Google Cloud Platform, the AWS compliance programs documentation provides indirect clarity into the platform's ability to adhere to the DFARS paragraph c-g requirements. Instead, an analysis is required to understand how AWS GovCloud services adhere to DFARS 7012 requirements. The answer is in the AWS GovCloud’s DoD Impact Level 5 (IL5) authorization. This authorization ensures the platform's fulfillment of the c-g requirements in 7012. AWS's FedRAMP High Provisional Authorization To Operate (P-ATO) allows the platform to adhere to the adequate security requirements found in paragraph b of 7012.
Organizations that leverage AWS GovCloud can also fulfill their ITAR and EAR restrictions; this is mainly because AWS GovCloud data centers are managed solely by vetted US Citizens, accessible only to vetted root account holders who are US Persons and are logically and physically isolated to the United States. Organizations can reference the documentation associated with AWS FedRAMP Compliance to better understand their inherited or shared responsibility for the requirements associated with DFARS 7012 and ITAR/EAR data.
Is Amazon Web Services (AWS) CMMC / NIST 800-171 compliant?
The AWS GovCloud (US) platform can be leveraged by an organization to satisfy CMMC 2.0 requirements as well as the data sovereignty and restricted access requirements for export-controlled data. However, unlike Google Workspace, the AWS compliance programs documentation provides no direct clarity into the platform's ability to adhere to the DFARS paragraph c-g requirements so organizations should use extreme caution with this approach to compliance requirements.
Microsoft 365 Government Community Cloud (GCC and GCC High)
Cloud service offerings hosted in the Microsoft Government Community Cloud provide organizations with two options to leverage to meet DFARS 7012 and/or export controls. Contrary to its name, the Government Community Cloud (GCC) operates as a part of the Microsoft Commercial Cloud. However, for organizations that need to meet DFARS 7012 requirements and that do not have export controls to adhere to, Microsoft 365 GCC is a viable solution. The GCC cloud platform does in fact meet paragraphs b and c-g of DFARS 7012.
Do I Need GCC High For CMMC 2.0?
For DIB organizations with DFARS 7012 contractual requirements AND export control restrictions (ITAR), the Microsoft Government Community Cloud High (GCC High) platform is the CSO for you. The video below, and this blog, provide information that can be used by the organization when deciding if they need GCC or GCC high for CMMC compliance.
Is Microsoft 365 Government Community Cloud (GCC & GCC High) CMMC / NIST 800-171 compliant?
Yes - Microsoft Government is CMMC/NIST 800-171 compliant and is the platform of choice from the majority of the Defense Industrial Base. Since the initial Government Community Cloud (GCC) offerings launched, Microsoft has prescribed Microsoft 365 GCC High for NIST 800-171 and DFARS 7012 compliance and continues to highly encourage businesses to use GCC High if they are looking to meet CMMC 2.0.
Because Microsoft 365 Governement Cloud is the most popular option for CMMC, this series will focus on achieving compliance with M365 GCC & GCC High.
Migrating To The Right Infrastructure
The migration of an organization's infrastructure to the cloud offers many benefits. Cloud services offer the organization workforce agility, service availability, and resource scalability that is unrivaled. It is the responsibility of the organization to deploy secure mechanisms that satisfy compliance requirements when scoping. Depending on the extent of CUI data interacting with assets on the information system, the organization is presented with two options for migration:
- Full Migration (Lift & Shift)
- Partial Migration (Enclave)
Performing a Lift & Shift
The name “Lift & Shift” leaves very little to the imagination. It is what the name says, a lift of your existing infrastructure, and a shift into a virtualized / compliant infrastructure. Because of the widespread CUI data flow, the organization must be able to extend the security benefits of their CSO to all assets in their information system deemed to be “in scope”.
When performing a Lift & Shift migration, it is important for the organization to ensure the shift taking place is happening on a compliant platform, such as Microsoft GCC or GCC High. Compliant platforms offer collaboration and security features that provide cost-effective options to the organization. These features will be essential in properly securing your entire information system.
Here are some questions for consideration when evaluating a Lift and Shift migration:
- Does the new platform not only meet DFARS 7012 from a cloud provider position but also allow you to maximize your deploying NIST 800-171 / CMMC Level 2 controls?
- Promote secure Cloud Collaboration (Identify Management, Email, File, Data)
- Enable Endpoint Management (mobile/laptop/desktop/windows/mac)
- Support on-premises and virtual server infrastructure / Backups / DR
In some Lift & Shift environments, network hardware such as routers, firewalls, and switches may still be present. Any remaining physical assets which will store, process, or transmit CUI are in scope. This physical hardware is required to have capabilities to protect data at rest and in transit, as well as any internal and external connections to resources (Wireless access, VPN) with solutions that are validated by the CRYPTOGRAPHIC MODULE VALIDATION PROGRAM (CMVP) for FIPS 140-2 encryption.
Implementing a Cloud Enclave
When performing “Lift & Shift” security measures and implemented solutions must extend to the entire information system because that’s what the data flow dictates. But, what's the solution for organizations where the flow of CUI data is limited to an isolated portion of the information system?
Cloud enclaves are cloud-based, stand-alone information systems that provide a software-defined perimeter around their included resources. Organizations who confirm limited CUI data flow exposure on their information system can choose this method to avert workload constraints associated with the full infrastructure migration of a Lift & Shift.
Organizations that elect to set up a cloud enclave to meet their compliance requirements would still be responsible for ensuring the appropriate security implementations take place in a much smaller environment. For example, an organization has 175 users and the infrastructure to support the business needs, but only 10 of those 75 users interact with CUI.
The more cost-effective approach for the organization would be to spin up a segmented cloud instance specifically designed for the migration of the limited subset of assets interacting with CUI. To take it a step further, the organization can cut user endpoints out of the equation by establishing an enclave where users are granted access to a virtual desktop, facilitating access to the file shares and other assets interacting with CUI.
How To Choose a Technical Design For CMMC
Ultimately, it is the applicable contract clause and data protection requirements that will dictate the cloud service provider's ability to meet requirements. The organization's CMMC assessment scope should be used to guide the selection of an appropriate technical design.
If sensitive data only flows to a small representation of your information system and can be easily isolated, then the cloud enclave could be an ideal solution. However, if there is a large percentage of assets discovered to be within the CMMC assessment scope, the enclave approach should not be considered, and could potentially do more harm than good.
In Step 5 of the series, 7 Steps to CMMC Compliance, we will learn how to implement Microsoft Government for CMMC. Continue to the next step: Step 5: Implementing Microsoft Government for CMMC