Skip to main content
Microsoft Security

How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud

In 2020, the US Department of Defense (DoD) began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base (DIB). This new Cybersecurity Maturity Model Certification1 (CMMC) system requires regular audits that will bolster the security of the DIB, which comprises approximately 350,000 commercial companies producing everything from Abrams tanks, satellites, and Reaper drones down to laptop computers, uniforms, food rations, medical supplies, and much more.

It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures2, it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program and leverage these resources to get started on your compliance journey.

How does CMMC work?

While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity “maturity”—the efficacy of process and automation of practices—ranging from “basic” to “advanced.”

Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.

The five levels of CMMC.

Figure 1: The five levels of CMMC.

Levels 2 and 4 are considered transitional; it’s not expected that contracts will require them.

In September 2021, the DoD will be overseeing 75 pilot contracts adhering to CMMC. By the same time in 2023, that number will reach 250, then up to 479 pilot contracts in 2024. By October 2025, every business in the DIB must be compliant with CMMC.

Microsoft knows compliance

Microsoft has been doing business with the DoD for four decades. Of the 350,000 companies in the DIB, 80 percent are small-to-medium-sized businesses (SMB). So, whether you’re a prime contractor working directly with the DoD, or a smaller subcontractor, Microsoft Office 365 Government plans can provide your business with all the features of Office 365 you expect—but in a segmented government community cloud (GCC). Plus, Microsoft lightens the burden of compliance by encrypting your data and enforcing strict access controls for employees, vendors, and subcontractors.

Microsoft Office 365 Government – GCC High is a sovereign cloud platform located in the Contiguous US (CONUS) that complies with US government requirements for cloud services. Office 365 Government – GCC High is designed specifically for use by the DoD and DIB, requiring that organizations be validated before they can deploy to this cloud. Along with all the expected features and capabilities of Office 365, deploying to GCC High ensures:

Microsoft Azure Government is a sovereign CONUS cloud platform that also offers hybrid flexibility—customers can maintain some data and functionality on-premises while enabling the broadest level of certifications of any cloud provider. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled only by screened US citizens.

Comparison chart of Microsoft Commercial, M365 GCC, and M365 GCC High.

Figure 2: Microsoft 365 Government + Azure Government compliance.

Though different cloud platforms may have a level of cybersecurity maturity in alignment with CMMC, Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government – GCC High in alignment with CMMC Levels 3 through 5. Microsoft Consulting Services can help you decide on the right platform to enable CMMC compliance for your organization.

Microsoft CMMC Acceleration Program

To help speed your journey to CMMC compliance, our CMMC Acceleration Program provides resources for partners and DIB companies alike. Our goal is to provide a baseline framework that can help close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. We work with partners and customers to help them mitigate risks and assist tenants with their shared customer responsibility, as well as provide solutions for assessment and certification.

Recent updates to Microsoft CMMC Acceleration Program include:

No provider can guarantee a positive adjudication, but Microsoft’s CMMC Acceleration Program can help improve your CMMC posture going into a formal review in accordance with CMMC Accreditation Body (AB) standards.

Zero Trust is key to CMMC

Microsoft is experienced in facilitating Zero Trust architectures in federal frameworks, a concept that’s critical to preventing attackers from elevating access within your environment. Zero Trust is built around three basic principles: verify, based on all available data points; use least-privileged access with just-in-time and just-enough-access (JIT/JEA); and assume breach to minimize blast radius and prevent lateral movement. Microsoft employs several references for implementing Zero Trust in federal information systems, including the National Institute of Standards and Technology (NIST) SP 800-207, Trusted Internet Connections (TIC) 3.0, and Continuous Diagnostics and Mitigation (CDM). We view these principles as technology-agnostic and apply them across endpoints, on-premises systems, cloud platforms, and operational technology (OT).

The Azure Sentinel: Zero Trust (TIC 3.0) Workbook provides an overlay of Microsoft security offerings onto Zero Trust models, enabling security analysts and managed security service providers (MSSPs) to gain awareness of their cloud security posture. This workbook features more than 76 control cards aligned to TIC 3.0 security capabilities and can augment security operations center (SOC) efforts through automation, AI, machine learning, query/alerting, visualizations, tailored recommendations, and documentation references. Each panel aligns to a specific control, providing an actionable path to help cover gaps and improve alerting, even incorporating third-party security solutions.

If your organization is interested in pursuing contracts with the DoD or its suppliers, it’s in your interest to be proactive about cybersecurity maturity. To learn more about how Microsoft can help your organization improve your compliance standing, visit our new CMMC homepage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Cybersecurity Maturity Model Certification, CMMC Accreditation Body.

22021 Report: Cyberwarfare in the C-Suite, Cybersecurity Ventures, 21 January 2021.