{"id":96012,"date":"2021-08-30T09:00:20","date_gmt":"2021-08-30T16:00:20","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=96012"},"modified":"2023-05-15T23:03:29","modified_gmt":"2023-05-16T06:03:29","slug":"prepare-for-cmmc-compliance-with-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/30\/prepare-for-cmmc-compliance-with-microsoft\/","title":{"rendered":"How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud"},"content":{"rendered":"

In 2020, the US Department of Defense (DoD) began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base (DIB). This new Cybersecurity Maturity Model Certification1<\/sup> (CMMC) system requires regular audits that will bolster the security of the DIB, which comprises approximately 350,000 commercial companies producing everything from Abrams tanks, satellites, and Reaper drones down to laptop computers, uniforms, food rations, medical supplies, and much more.<\/p>\n

It\u2019s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures2<\/sup>, it\u2019s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program<\/a> and leverage these resources to get started on your compliance journey.<\/p>\n

How does CMMC work?<\/h2>\n

While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity \u201cmaturity\u201d\u2014the efficacy of process and automation of practices\u2014ranging from \u201cbasic\u201d to \u201cadvanced.\u201d<\/p>\n

Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.<\/strong><\/p>\n

\"The<\/p>\n

Figure 1: The five levels of CMMC.<\/em><\/p>\n