How the cloud can help you become CMMC compliant

Have you been planning to bid on U.S. Department of Defense business, or are you already a DoD contractor? The new Department of Defense Cybersecurity Maturity Model Certification (CMMC) is now in effect, and you’ll need to be compliant in order to be eligible for DoD contracts. If you’ve been putting it off, we’re here to tell you: now’s the time to get started.

The good news is that the cloud can help make CMMC implementation much easier and less costly, with minimal disruption to your business.

What you need to know about CMMC

First off, what exactly is CMMC?

CMMC is a new set of requirements that assess the cybersecurity capabilities of defense contractors in the federal government’s Defense Industrial Base (DIB). All suppliers bidding on DoD contracts will be required to adhere to CMMC specifications, starting with some contracts in 2021 and transitioning to all contracts by 2026.

CMMC is made up of a five-level framework, with each level containing certain required processes and practices. Each level becomes progressively more rigorous based on the sensitivity of the information you are engaged with in the DoD supply chain. Most contractors will be assessed at level one, the least stringent, which requires basic cyber hygiene.

Certification isn’t done by the DoD itself or by the contractor but by third-party assessment organizations called C3PAOs, such as Dixon Hughes Goodman. They will evaluate your technical security controls, processes, documentation, policies and process maturity.

Under CMMC, prime contractors are held accountable for ensuring that appropriate security requirements are met by everyone who is included in their bid – partners, contractors and suppliers. So, if you are a prime contractor, it’s up to you to make sure your subcontractors are compliant. And if you’re a subcontractor, you’ll want to ensure you’re ready so a prime can include you in their contracts.

With CMMC already in effect, there’s no time to waste. You need to be prepared now so you can participate in DoD bids today and in the future.

What are some requirements of CMMC, and how can the cloud help with implementation?

The CMMC framework involves a range of security requirements. Some of these include:

Security Monitoring and Response: Required in Level 3 and above
Not only can security monitoring and response be costly, it can also be difficult to implement and maintain – particularly in a traditional, on-premises IT environment. Cloud-native security monitoring offers pricing and operational efficiencies over independent third-party security information and event management (SIEM) products, while still providing the required analysis of security alerts.

Authentication: Required in Level 3 and above
Expansive requirements for multifactor authentication typically mean you need additional infrastructure such as a radius server. However, cloud-native multifactor solutions can accommodate on-premises, remote and client site users without the need for additional infrastructure. They are also much easier to implement and integrate with existing authentication directories.

Mobile Device Management: Required in Level 3 and above
How secure are the mobile devices used across your network in today’s work-from-anywhere, bring-your-own-device (BYOD) world? Often there are inconsistent controls around BYOD mobile devices used to access emails or other company information. Current solutions for on-premises email are also expensive and difficult to implement. Cloud-native mobile applications and device management solutions are more straightforward and less costly, because you only pay for what you use. They represent an operating expenditure rather than a capital expenditure, which means you don’t have a big upfront cost. In addition, cloud-native solutions for mobile device management can also provide pin and encryption enforcement, data loss prevention and remote wipe capabilities.

Configuration Management and Hardening: Required in Level 3 and above
Software required for configuration-state enforcement is expensive and difficult to implement. You may face disruptions or outages when implementing hardening rules. Cloud-native configuration management tools can help by simplifying the creation of standard images. Many cloud providers have developed CMMC-compliant blueprints and security technical implementation guides (STIGs) to vastly simplify meeting configuration management requirements within CMMC.

Backup and Recovery Strategy: Required in Level 3 and above
In addition to the existing NIST SP 800-171 standard, Protecting Controlled Unclassified Information In Non-federal Information Systems and Organizations, CMMC adds backup and recovery requirements for contractors. This brings into scope the security of backups on-premises as well as in other virtualized cloud environments, and requires applicable storage repositories to be FedRamp Moderate Impact Level-compliant. Cloud-native backup and recovery tools – including multiregional redundancy, machine snapshot images, native backup monitoring, and automated recovery points – vastly reduce backup and recovery planning needed to meet CMMC requirements.

Okay, I’m ready – how do we get started on our CMMC preparations?

Act now. Don’t wait until you’re about to bid on a contract to start working toward CMMC certification. It takes time, so you need to get ahead of the curve and begin the process today. Remember: under CMMC, most organizations doing – or planning to do – business with the DoD must go through an audit by an authorized entity before bidding on a contract, and this includes subcontractors.

As a first step, call FSi Strategies for a needs analysis and then talk to Dixon Hughes Goodman about completing your assessment. FSi Strategies can work with you to remediate any gaps found during the assessment so you will be ready to compete for DoD contracts. As a managed services provider, FSi can also provide you with ongoing support to ensure you can continue to be proactive and monitor your security situation. We look forward to talking to you about your next steps on the path to CMMC compliance.

About FSi Strategies

FSi Strategies, located in Vienna, VA is a user experience focused, Managed Service provider and recognized Gold Microsoft Partner with over 19 years of experience. As Microsoft Cloud experts, we provide strategic enterprise class Modern Workplace IT solutions that engage your employees, accelerate productivity and collaboration while optimizing your environment securely. We engage strategically with your team to modernize your environment through Planning & Design, Implementation, Training & Adoption, Change Management, IT Support and Cloud Licensing.

About DHG Technology Advisory:

DHG ranks among the top 20 professional services firms in the nation, providing assurance, tax, and advisory services. With more than 2,000 professionals across the United States, the DHG team serves clients in 50 states and internationally.

To assist defense contractors, DHG Technology Compliance and DHG Government Contracting maintain a forward-thinking cybersecurity team with significant experience with NIST 800-171 and CMMC frameworks. Key members of the firm’s CMMC service team achieved Registered Practitioner status with the CMMC Accreditation Body and DHG is now a Registered Provider Organization (RPO) in the CMMC Marketplace. DHG is equipped to meet your specific Technology advisory needs. To learn more about DHG’s Technology Advisory services, visit