Microsoft is working to provide documentation for its managed security service provider partners and cloud users who want to get ready for assessment under the Pentagon's Cybersecurity Maturity Model Certification program, according to a company executive.
As one of the largest cloud providers in the federal government, Microsoft is seeking its own CMMC certification as well as readying to provide a System Security Plan (SSP), Customer Implementation Summary (CIS) and other materials to companies that use its services, Richard Wakeman told Inside Cybersecurity. Wakeman is Microsoft's senior director of aerospace and defense for Azure Global.
Companies will still need to create their own SSP and CIS documentation to prepare for an assessment, but they can leverage Microsoft's documentation rather than starting from scratch, Wakeman said. Microsoft has developed documentation for NIST 800-171 and CMMC to inform contractor assessment needs, which Wakeman said can be obtained by signing a non-disclosure agreement.
"We have been leaning on managed security service providers because we believe [they are] the fastest path, especially for small and medium-sized companies, to get to a CMMC certification as quickly as possible," Wakeman said, acknowledging each contractor needs to do more to achieve the "maturity process" for CMMC that "goes way beyond what Microsoft can do" by just offering a product.
The MSSP could combine Microsoft's cloud platform with endpoints known as STIGs and add in a service desk, Wakeman said, which would get a company "much further along" to achieving CMMC compliance. Microsoft's set of "reference architectures" puts a contractor halfway to meeting CMMC, while the MSSP might potentially reach "as much as 80%-85% certification," he said.
Wakeman said there are caveats because each contractor would need to get to "that last mile on their own two feet" to achieve CMMC.
Microsoft has developed a CMMC Acceleration Program to make it easier for companies to reach compliance.
In terms of reciprocity, he said Microsoft needs more information from the Defense Department on whether it will be able to leverage its work to achieve FedRAMP Moderate and High authorizations for CMMC.
Guidance from the CMMC Program Management Office is "pending" on how existing documentation generated by Microsoft can be used today, Wakeman said, providing the "inheritance of Microsoft controls and a shared scope of responsibility" as examples.
"There are some number of controls and documentation that you can inherit from Microsoft as opposed to each one of our customers needing to construct that documentation on their own" through a combination of current Microsoft offerings including the SSP and CIS that are available today, but most of the information is currently left up to interpretation by the certified third-party assessment organizations auditing contractors, according to Wakeman.
The Defense Department will need to provide standardization guidance for the C3PAOs to make the FedRAMP reciprocity more feasible using Microsoft's cloud platform offerings, he said.