If your business is part of the Defense Industrial Base (DIB), regularly works on contracts with the federal government, specifically the Department of Defense (DoD), or is a downstream supplier in the supply chain, you are likely well aware of the need to achieve CMMC certification in order to continue to do business with the DoD.
For many of our customers the path towards compliance can seem like a monumental task, however Microsoft solutions offers a comprehensive option as a 'one stop shop' approach as the entire Information system for compliance. Depending on your CMMC level you may require a new government cloud tenant, such as GCC or GCC High, but beyond that one additional requirement all your technology and CMMC needs can be met by O365 and Azure.
Of equal importance with selecting your technology platform, building operational controls, and configuring technical controls, there are five foundational areas of consideration that we have seen often overlooked when beginning this process that will directly drive technical requirements. Addressing these at the beginning of your project can aid immensely in ensuring timelines and expectations are met.
1. Evaluate Scope of Control and Policy Approach
What part of your business is in scope for CMMC? Must the entire business be impacted by the strict controls and governance outlined by CMMC and DFARS or is this a subset of your business that needs to meet these requirements? Would implementing these requirements on the rest of the business have a negative impact on the non-federal aspects of your business? The answers to these questions will directly drive your approach. There are three primary schools of thought around the approach.
- "Dual Citizen" - In this approach you maintain two separate environments (tenants) and users who manage CUI have a second identity in the secure environment which is CMMC compliant. As you can imagine, you will have to address several factors with environment such as management of both environments, management of multiple identities, the human factor of making sure the proper environment is used for the appropriate task, and other policy considerations.
- "Secure Enclave" - In this approach you still maintain two separate environments (tenants), but shift the users handling CUI entirely into a secure enclave which is completely CMMC compliant. These users are then always operating in a compliant environment and do not have to maintain two sets of credentials. This removes the risk of processing or storing data in the incorrect environment. The rest of the business continues to operate as they were and are not impacted by these new stricter controls. While this presents a much easier to manage approach for the in-scope users, it does still create a variety of aspects to consider such as the maintenance of two environments as well as interop considerations.
- Full Migration - This approach is the most seamless as your entire organization operates in a CMMC compliant environment; however, it is expensive and restrictive because many of these strict controls are applied universally across the environment, which makes non-CUI handling user's day to day tasks more restrictive and in some cases more difficult than they need to be. Licensing in the GCC, and higher environments is more expensive than the commercial tenants and the maintenance of a larger environment from a CMMC compliant standpoint (monitoring, logging, etc.) adds more administrative and technical requirements.
2. Understand Business Process
A comprehensive understanding of the business process that must be retrofit into the CMMC compliance model is critical to your success. Understanding what technologies are in use today, if those technologies can be made compliant, how those technologies are used (process, automation, collaboration), and where that data resides today must all be thoroughly understood if you want to be successful in transitioning these workflows and business processes to meet CMMC compliance.
3. Gather Access Requirements
Establishing your scope and defining your business processes will directly drive what access requirements to this environment may look like.
Do your users need dedicated physical hardware, can they use existing hardware, or can they use an entirely virtualized environment? Do users need offline access to files or need to store files on external drives or removable storage? How about web access or mobile device access? If mobile device access is required, will they need dedicated mobile devices or do they have corporate devices already? Are there non-employees that need access? These are just a handful of the questions that need to be vetted by both the business and the technology team to properly architect a compliant environment and ensure all access needs are met.
4. Prepare for Provisioning and Limitations
If you have determined you need a GCC or higher tier tenant, begin the provisioning process immediately. At the time of writing this article, we are seeing significant backlogs - 30+ day lead-times - to simply get the tenant into a state where you can fully begin configuration. Additionally, GCC and GCC High tenants from Microsoft do not have parity today with the commercial ecosystem. You need to leverage your knowledge of the business process and technologies used to determine if adjustments must be made in the GCC environment.
5. Prepare for User Readiness
Unless you are operating in a tightly process-oriented environment today, it is very likely this change will be extremely impactful to your business and its users. From access to process there will be a lot of change. Beginning user awareness, training, and education programs are equally as important to ensuring your success as the technical foundation being laid.
Considering these five areas and asking these questions early in the process can help to ensure a smoother transition on your CMMC journey. Contact Intellinet today if you are just starting this process or have already begun and need help with your technical readiness..