Navigating CMMC Compliance Requirements with Microsoft

Making sense of the complex requirements

CMMC program requirements apply to all DoD solicitations and contracts for which a defense contractor or subcontractor will process, store or transmit FCI or CUI on its unclassified contractor information systems. The CMMC model defines streamlined levels of compliance:

• Level 1 (Foundational): Focuses on basic cybersecurity hygiene practices.
• Level 2 (Advanced): Aligns with NIST SP 800-171 standards and includes 110 security practices.
• Level 3 (Expert): Targets the most security-conscious contractors and aligns with NIST SP 800-171 plus 24 additional controls from NIST SP 800-172.

Recent CMMC updates have focused on Supplier Performance Risk System (SPRS) scoring and how contractors are meeting their respective level requirements. For the least risky organisations, level one is a simple met or not met status. Levels 2 and 3, however, are more complex and we suggest that any organisation required to obtain these maturity levels begin now to establish a technical boundary that will simplify both how data is managed and governed within the organisation and its contractors.

SPRS Scoring

• Maturity Level 1: Score not required; either MET or NOT MET
• Maturity Level 2: Security requirements are valued 1, 3, or 5 points with a range of -203 to 110, with a minimum passing score of 88.
• Maturity Level 3: All Level 3 security requirements are valued 1 point with a maximum score of 24. Requires a prerequisite Level 2 score of 110.

POA&Ms

• POA&Ms are not allowed for CMMC Level 1.
• Refer to § 170.21 of the 32 CFR CMMC Program final rule for CMMC Level 2 and Level 3 POA&Ms requirements, including critical requirements not allowed in a POA&M.
• POA&Ms must be closed out within 180 days of when the CMMC Assessment results are finalised and submitted to SPRS or CMMC eMASS, as appropriate.

Failure to close POA&M within 180 days will result in an expired CMMC Status

The steps below outline how Protiviti best assists clients with compliance preparation.

Build an enclave/architecture with Microsoft tools

In a recent webinar Protiviti conducted with Microsoft, we discussed our approach to helping organisations confidently prepare to meet evolving CMMC requirements. We know that the most common errors companies make are often not related to their technologies but to the processes used in those technologies.

The common areas of failure we see range from properly marked CUI to encryption of CUI with a FIPS validated algorithm (140-1 and 140-2). Implementation of multifactor authentication (MFA) is a showstopper control, but is also, fortunately, a non-issue for most. We also see organisations neglecting system security plans (SSP) with boundary definitions and not factoring in 180 days to remediate POA&M items, which is critical to maintaining compliance. Deadlines are more stringent now as the prior, more generous, three-year remediations are a thing of the past.

To minimise disruption of the existing environment, we typically recommend building an enclave, a targeted environment designed to present the smallest footprint possible, which means it’s the smallest possible attack surface and the most efficient to manage. In its ideal state, the enclave handles all the organisation’s CUI and is not tied to any other infrastructure within the organisation’s current environment. This new environment provides a well-defined boundary. By leveraging Microsoft cloud-based solutions including Microsoft 365 Government Community Cloud High (GCC High), Azure Government, and the Microsoft Defender suite, all tailored to meet the stringent requirements of CMMC compliance, the stand-up and operation of an enclave is streamlined.

Understanding the organisation’s business processes and what employees do day-to-day is key to making good decisions in designing the enclave.

Security readiness

Through our CMMC compliance work, we’ve developed a set of foundational practices around kickstarting your security readiness. These factors are critical to consider and implement when making architectural design decisions. Foundational practices include:

• Leverage Azure policy from the start and revisit with each deployment, even during the early builds.
• Communicate with application and system architects about the reduced availability of services within Azure Gov versus Azure Commercial and their impact on any custom developed applications.
• Validate that every Azure service planned to be consumed is available in the targeted Azure region, as well as Azure Gov.
• Validate that every third-party security integration is current on the FedRAMP marketplace.
• Enforce role-based access control (RBAC) early in the enclave development to prevent rework when other teams “fix” their inability to do something due to a newly implemented control.
• Third party tools for EDR/IPS/WF/DLP, etc. should go through vigorous evaluation to ensure compatibility with Azure Gov, the organisation’s compliance requirements and expected use cases.
• Design workloads using composable architecture so that components may be updated in small, reversible increments.

Additionally, when building a new environment, include data classification and other elements into tagging so that incorporation of Zero Trust elements is easier and allows the organisation to avoid repeating past errors.

Achieving CMMC compliance can feel daunting, but we believe leveraging Microsoft’s cloud-based solutions simplifies the path to achieving and maintaining compliance, enabling any organisation functioning as a government contractor to focus on the core mission of supporting national defense.

To learn more about CMMS our Microsoft consulting services, contact us.