Does your organization do business with the Department of Defense (DoD) and process, store, or transmit Controlled Unclassified Information (CUI)? If so, you probably rushed to create documentation to self-attest NIST SP 800-171 compliance when DoD issued the Defense Federal Acquisitions Regulations System (DFARS) 252.204-7012 back in 2017 to protect CUI confidentiality.
Things are different now, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) in January 2020 (cue warning music). This new program just changed the calculus for about 350,000 businesses that deal with the DoD in every aspect—from supply chain to cybersecurity. Although the CMMC security requirements are not that different from 800-171 (in fact, all 110 requirements are included in CMMC Level 3, verbatim), CMMC introduces a few new things, including the need for a pre-award validation of CMMC compliance using an accredited independent auditor. Uh-oh! You are also required to show you are compliant with DFARS clause 252.204-7012, which includes implementing additional requirements related to incident reporting and forensics, commonly referred to as clauses (C)–(G).
That, of course, creates a whole new set of challenges for businesses that will have to comply by October 2020, according to DoD’s current projections.
As of this date, the CMMC Accreditation Board (AB) has not announced accreditation guidelines for how to become one of those auditors—called a C3PAO—so no such auditors exist. In the meantime, numerous defense industrial base (DIB) vendors are looking for clarity, anxious about the change and eager to get ready for the new reality. Here are some main issues that DIB vendors will face in their efforts to achieve CMMC accreditation.
One huge challenge is related to DIB vendors’ widespread use of Microsoft Office 365. Most, if not all, use Microsoft Office 365 Commercial: they built a SharePoint library, set up a OneDrive, and of course, have Outlook for email correspondence. Although some vendors may have implemented access controls restrictions, the reality is they likely washed their hands of dealing with security, checked the Yes box in their contracts asking if they were 800-171 compliant, and went on with the rest of their merry lives. Life was good back then, easier, simpler … But Microsoft is not the magic wand DIB vendors can wave to achieve CMMC. Keep on reading; I’ll explain why.
What Microsoft services are compliant with 800-171, DFARS, and the eventual CMMC program?
If you are an organization that processes, stores, or transmits CUI and has DFARS 7012 requirements in your contract with the DoD, can you use Microsoft Office 365 Commercial and/or Azure Commercial? The answer is: No. Period. End of story.
What about Microsoft Office 365 Government Community Cloud (GCC)? That has to be okay, right? Again, no. Period. End of story.
So what gives? Microsoft Office 365 Commercial (and the GCC enclave) and Azure Commercial are FedRAMP accredited at the moderate level, which more than meets the requirements of CMMC Level 3, and most, if not all, requirements of Levels 4 and 5 as well.
The issue is not whether these services are secure, it’s whether they are compliant! And DFARS clauses (C)–(G) are the fly in the ointment. Those clauses require that in the event of an incident, an organization must provide DoD with an elevated look into its systems/network. To be fair, most of those clauses can be met with a decent Incident Response program, but there is one clause in particular that is very tricky: the quiet, tiny, unassuming clause (E):
Media preservation and protection – When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
And therein lies the challenge: Microsoft Office 365 Commercial (including the GCC enclave) and Azure Commercial will not contractually agree to DFARS clause 7012. Your organization can jump through hoops, but nothing can be done to make your commercial Microsoft environment compliant with DFARS clause 7012. Instead, you are required to use Microsoft Azure Government and/or Office 365 GCC High services to meet that one very nuanced specific requirement.
If you chose Microsoft Azure Government and/or Office 365 GCC High services, Microsoft will agree to sign a contractual agreement to meet the DFARS clauses.
Does this solve the problem? Not quite. I see two sticky issues.
These services are more expensive than the commercial versions, and all vendors currently using Commercial Office 365 and Azure will have to dig deeper into their pockets to pay for an elevated compliant CMMC service.
Microsoft Azure Government and/or Office 365 GCC High are reserved services for the federal government and its contractors to work with CUI and other sensitive data. To ensure that the services are used only for that, Microsoft has a validation program (see Microsoft Validation Program) that validates organizations wishing to use these services to process, store, and/or transmit government data.
The first bullet point is not ideal, but it’s not the end of the world. Yes, it’s more expensive, but with some proper scoping your organization can control those costs by including only the absolutely necessary pieces of your environment that handle CUI.
The second bullet point represents a bigger issue: How to get validated for the Microsoft Azure Government and/or Office 365 GCC High.
Rock on for those vendors that have a current federal government contract. They can go through the validation program, spend a few hours configuring their systems using these services, and BOOM! Compliant. Just. Like. That. (Admittedly, it might not be THAT easy, but it can definitely be done, and if you need help, a compliance assessor can assist you. So that’s all well and good for those vendors. But what about vendors that don’t have current DoD contracts; that don’t currently store, process, and/or transmit CUI but are seeking to do business with the DoD? How can these vendors get validated for the use of Microsoft Azure Government and/or Office 365 GCC High? There seems to be a crater-sized hole on their path if they want to be proactive and acquire the CMMC compliant environments.
If you are thinking that this next paragraph is going to start with a majestic, grandiose solution to the problem posed above, I hate to disappoint. It is a real problem. And it is something the CMMC program needs to take the torch and illuminate the way forward on this compliance issue.
However, I do have one suggestion: to have CMMC create a mapping of allowable Microsoft services to certain Levels. This might simplify the path for organizations to be CMMC Level x accredited by stating the specific Microsoft services by name and defining the path for non-DoD vendors. That would also help C3PAOs prepare for assessments, guide clients and recommend compliant solutions that ensures their success. Ultimately, it will just make everyone’s life easier. And that’s never a bad thing.
Otherwise, the Microsoft validation program will be another sticking point, with no current easy path for new vendors to pursue compliance prior to being awarded a DoD contract. The classic chicken and the egg paradox.
In the meantime, while the industry awaits clarity on these requirements, I strongly suggest that this is the time to prepare as much as possible for what’s coming. A great start is to perform a gap analysis on all other aspects of your organization’s compliance requirements for the CMMC Level you hope to achieve.
I want to give a shout out to Microsoft’s incredible team and their vast knowledge and expertise in all things compliance! Richard Wakeman, a senior director at Microsoft, wrote an excellent blog brilliantly breaking down compliance in Office 365 environments: