Cloud service providers Microsoft and Amazon are working on solutions to help contractors reach compliance with the Defense Department's Cybersecurity Maturity Model Certification program through a shared responsibility model.
The model means that neither Microsoft nor Amazon will seek certification for CMMC. Instead both of the CSPs will work with their partner companies to provide products that can help contractors reach compliance.
"The defense industry is looking to Microsoft for leadership in assisting the DIB to secure the supply chain," Microsoft's Richard Wakeman told Inside Cybersecurity. "Our cloud technologies and compliance solutions available provide a major step forward. By working with the DIB community of customers and partners, we are developing solutions for CMMC leveraging the comprehensive capabilities of the cloud. In particular, our CMMC Acceleration Program is being developed with and for partners to deliver end-to-end compliant solutions."
Wakeman is the senior director of Microsoft Azure Global's Aerospace and Defense business.
The program is intended to "provide the scaffolding with a baseline framework for compliance," Wakeman wrote in a blog post on Oct. 28. "The Microsoft baseline is expected to significantly close the gap for compliance of infrastructure, applications and services hosted in Microsoft Azure, Microsoft 365 and Dynamics 365."
Wakeman said, "Any resource that is deployed to the enclave will inherit the native controls. Microsoft will work with trusted partners and customers to enable them to close their compliance gap and mitigate risks, assist tenants with their shared customer responsibility, and provide solutions ready for CMMC assessment and certification."
The CMMC program will be rolled out over a five-year period. In the interim, contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with National Institute of Standards and Technology Special Publication 800-171 through DOD's Supplier Performance Risk System when they submit a bid for a new contract or order.
Microsoft told Inside Cybersecurity its Acceleration Program will also help companies become compliant with all of the controls in NIST 800-171 and provide details on Microsoft services in a "mini" System Security Plan that can be incorporated into a contractor's "full enterprise" SSP.
The SSP will also include "customer statements for the customer scope of responsibility for product capabilities leveraged to demonstrate compliance," Microsoft says. The majority of the work to incorporate the "mini" SSP will be conducted through Microsoft's managed service provider partners, who will also help develop a plan of action and milestones (POA&M).
When it comes to other government standards, the CSP has established a "program of reciprocity" which includes compliance with FedRAMP, the DOD Cloud Computing Security Requirements Guide and the NIST cybersecurity framework.
In the blog post, Wakeman wrote Microsoft "is currently mapping its existing cybersecurity controls and certifications with the CMMC controls that correspond with CMMC Levels 1-5 to identify how customers may achieve a program of reciprocity. Microsoft's goal is to help strengthen cybersecurity across the DIB by continuing to have world-class cybersecurity technology, controls and best practices, and to put its cloud customers in a position to inherit Microsoft's security controls and eventual CMMC certifications."
The Defense Department has not outlined its strategy for reciprocity despite calls from industry groups including the Information Technology Industry Council and Aerospace Industries Association.
The Amazon Web Services approach to the shared responsibility model is intended to "relieve the customer's operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities where the service operates," according to a blog post published on Nov. 5.
"The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of any AWS security products like AWS Config, Amazon GuardDuty, and AWS WAF," the blog post reads. "Organizations should carefully consider the services they choose as their responsibilities vary depending on the AWS services used, the integration of those services into their IT environment, and published DOD CMMC guidance. The nature of this shared responsibility also provides the flexibility and control that permits the customer to leverage cloud capabilities and technologies to meet specific CMMC capability requirements."