Step-by-Step Compliance for the Cybersecurity Maturity Model Certification (CMMC)

Odds are, if you are impacted by the Cybersecurity Maturity Model Certification (CMMC) mandates, you already know it.  Odds are, if you are reading this post, you are doing research because you are impacted by the mandates.  If you are impacted by the mandates, this post is for you.  This post is to give you ideas that [we hope] help you on your compliance journey. 

The open question is likely “how do I become compliant”?   Ultimately, there are two options.  But before we get to the options of how to become compliant, we first need to address the scope of what needs to become compliant. 

What about scope? 

There are thousands of other published pages on the scope of CMMC, and that’s not the point of this post.  The point here is to state the following: 

1. Today, you have N applications in your Portfolio 
2. A subset (maybe 100%, and maybe a smaller percentage) of those applications and their data must be compliant with CMMC by certain dates depending on your contracts and business requirements 
3. Every business that is beholden to the mandates needs to make a list of the applications (and data) that are in-scope.  Many companies will do that rapid assessment on their own.  Other companies will enlist the help of partners/vendors to help them move faster and more confidently.  Either way is fine.   

Once you have the list of apps (and data) that are in-scope for you, then what?  Then, it is time to choose an option. 

Option 1: Work on the running engine 

The challenge with working on a running engine is the increased risk of losing a finger :smiling_face_with_smiling_eyes:.  Honestly, if you had to spend time quantifying your Portfolio, then it stands to reason that there may be things that you missed in that assessment.  But leaving that point aside, there is always the option to assess every app, every piece of data, every server, every switch, etc to become compliant.  That is a very difficult journey because of years of technical debt.  Can you really clean out all shared-credential-service accounts in your environment without breaking something critical? 

Option 2: Build a new engine and rapidly move to it 

Surely there are exceptions, but we have yet to see one.  The best answer [is usually] to build a new engine.  Not only is the right answer to build a new engine, but the right answer is to build a new engine in the cloud.   

Why the cloud? 

1. They are already compliant (e.g. Microsoft Azure Government [MAG] and Government Commercial Cloud High [GCCH]) 
2. You will not invest more in cybersecurity and compliance than Microsoft Cloud will, so they are and will be, more secure than you can be 
3. If you leverage the cloud, you then only have to worry about securing the pieces and parts that are unique to YOUR business: your enclave(s) and tenant(s), your application(s), your data. 

Executing on Option 2 (New, Cloud Engine) 

Step A: Rapidly Establish Cloud Enclave 

1. M365: Commercial and/or GCC and/or GCC-High and/or GCC-DOD 
   1. Which one(s) do you need? 
   2. How do you rapidly set them up and harden them? 
   3. How do you continuously monitor (and automatically respond) to anomalies that would take you out of compliance? 
   4. How do you give the auditor a real-time dashboard to speed up the audit(s)? 
2. Azure: Commercial Azure, Azure Government as IL2, Azure Government as IL4, Azure Government as IL5, or a combination 
   1. Which one(s) do you need? 
   2. How do you rapidly set them up and harden them? 
   3. How do you continuously monitor (and automatically respond) to anomalies that would take you out of compliance? 
   4. How do you give the auditor a real-time dashboard to speed up the audit(s)? 
3. For every enclave and/or tenant, how will it be managed on Day 1?  Day N?  (often, the goal is to “manage it myself” on Day N, but folks are unclear and aren’t ready to manage it on Day 1) 

Step B: Move Applications (and Data) 

1. How do you prioritize your applications based on timelines and resourcing? 
2. For each application, should it  
   1. Lift and Shift? 
   2. Have slight tweaks? (e.g. converted to PaaS?  Converted to hardened containers per DevSecOps Reference Architecture and DoD Standards?  Other?) 
   3. Rewrite?   
   4. Other? 
   5. For every application (and data), how will it be managed on Day 1?  Day N?  (Often, the goal is to “manage it myself” on Day N, but folks are unclear and aren’t ready to manage it on Day 1) 

Step C: What about Client Devices? 

1. Are your laptops and desktops managed in such a way that they are compliant? 
2. What about mobile devices? 
3. Can you detect and minimize spillage? 
4. Do you understand your Data Loss posture? 

Step D: What about Policies? 

1. For example, is your Data Loss Prevention Policy where it needs to be for CMMC? 
2. Are the written policies tactically implemented for the Enclaves, Tenants, Apps and Data defined as you establish the enclaves and move the applications? 

Step E: What about Auditability? 

1. When the auditor shows up, will you spend days and weeks with them, or will you show them your real-time dashboards?   
2. When the auditor shows up, will you do tabletop exercises with them?  Will you introduce an out-of-compliance-server and watch the automation turn off the server?  Will automation also create a security incident in parallel?  Is it true that the only way to end up with an errant server in this new, pristine engine is that someone went around the process as defined by the policy?’ 

Surely, you will choose Option 2.  

Insource, Outsource or Hybrid?  

Now, the only remaining question is whether you will figure it all out on your own or will you bring in someone to help you?  Given the impact of getting it wrong and given the timeline, most companies will bring in someone to help them. 

Which Partner? 

There are two courses of action: 

1. Pay someone to “consult” with you while doing the work yourself 
2. Pay someone to do it for you including Day 1 thru Day N management 

Most companies prefer B, but they assume that there is no such unicorn.  And, if they assume there is a unicorn, they fear that they cannot afford it. 

The ideal partner will help you in the following ways: 

1. Rapidly define the in-scope apps and data 
2. Ask a series of repeatable business questions 
3. Rapidly establish the enclave(s) and tenant(s)….ideally by using automation to save you time and money 
4. Rapidly move applications and data to the new enclave(s) and tenant(s) while making the necessary application tweaks (and being willing to take accountability for full application re-writes as necessary)….ideally using automation to refactor and/or re-write the apps 
5. Manage the clients and mobile devices and/or work through and with your existing client/mobile team to take accountability for the client and mobile posture….ideally using automation  
6. Manage the enclave(s), tenant(s), applications and data to keep them current and compliant….ideally using automation 
7. Work through and with your Policy team(s) to update Policies as necessary to match the actual implementation  
8. Stand at the ready to host your auditors when they show up …. ideally using automation  
9. Partner Requirements 
   1. Already doing this same work in DoD IL5/CUI environments 
   2. Already doing this work in Commercial environments including for Defense Industrial Base 
   3. Already doing this work for small customers (e.g. 5 seats) through huge customers (e.g. 150k seats) 
   4. Willing to take the risk to do the work as Firm-Fixed-Fee on a committed timeline  
   5. Willing to commit to pricing of operations and maintenance pricing for years 2 through 5 (and beyond) on day 1 
   6. Willing to provide significant multi-year discounts 

Call to action: 

1. Quantify the applications (and data) that will fall within your CMMC scope 
2. Leverage Microsoft Azure Government and GCCH to meet the requirements 
3. Leverage an experienced partner to help you skip the learning curve  

About the Author: 

Carroll Moon is the CTO and Co-Founder of CloudFit Software.  Prior to CloudFit, Carroll spent almost 18 years at Microsoft helping to build and run Microsoft’s Clouds.  CloudFit Software aims to securely run every mission critical workload in the universe.  CloudFit is a DoD company that also intentionally serves commercial companies.  Commercial customers (including Microsoft’s Product Groups) keep CloudFit on the cutting edge of cloud and cloud apps—that makes CloudFit attractive to DoD customers.  DoD customers require that CloudFit be a leader in cybersecurity—that makes CloudFit attractive to commercial customers.  This intersection of DoD and Commercial uniquely positions CloudFit Software to help customers comply with cybersecurity mandates like CMMC, and the build-and-run-the-hyperscale-cloud pedigree of CloudFit’s executive team means that CloudFit is executing on their charter with software and automation rather than with people.  CloudFit Software’s patented platform enables increased repeatability, decreased costs, increased availability and increased security in all areas from establishing hardened cloud enclaves to migrating (and re-factoring) workloads to operating securely in the cloud.  Beyond the IT/Cloud charter, CloudFit Software exists to fund two 501c3 charities: KidFit (providing hope and opportunities to youth using sports as the enabler) and JobFit (providing hope and opportunities to adults and young adults using IT training and paid internships as the enablers).  Carroll lives in Lynchburg, VA with his wife and two children.  CMMC | CloudFit Software