Utilizing Cloud Services To Satisfy CMMC Requirements

May 4, 2023

How does DFARS 252.239-7010 for cloud services impact CMMC 2.0, and what do DIB contractors need to know in 2023?

That’s a great question. And we’re going to answer it in this post.

We’ll show you how to leverage cloud services to save time, resources, headaches, IT cycles, and money related to CMMC compliance. Here’s what we’re going to cover:

What is DFARS 252.239-7010 for cloud services?
How Do Cloud Services Impact CMMC 2.0 Certification? (With Use Cases)
What Simple, Cost-Effective Steps Can You Take Today To Prepare For Cmmc Certification?

So let’s start with the core issue.

What Exactly Is DFARS 252.239-7010 For Cloud Services?

We went straight to the source for an answer. From ACQUISITION.GOV:

(b) Cloud computing security requirements. The requirements of this clause are applicable when using cloud computing to provide information technology services in the performance of the contract.

(2) The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the Contracting Officer) found at https://public.cyber.mil/dccs/dccs-documents/ unless notified by the Contracting Officer that this requirement has been waived by the DoD Chief Information Officer.

That’s an excellent carve out from DFARS 252.239-7010. Now let’s tie it into CMMC 2.0, the Azure Cloud, and what it means for DIB contractors and subcontractors.

You can also call our team anytime or get in touch online if you have questions or need assistance with CMMC compliance checklists. We work with small and medium-sized DIB contractors like you every day to simplify and streamline your DoD contracting IT requirements.

The bottom line is it can be extremely challenging for DIB contractors to meet the stringent IT and information security requirements in the three levels of CMMC 2.0 certification.

That’s where the Microsoft Azure Cloud comes into the equation. While cloud services do not apply directly to CMMC 2, many Azure Cloud services have been certified by a CMMC third-party assessor organization, aka C3PAO.

That means DIB contractors can utilize precertified cloud services to save significant time and money on CMMC 2.0 certification.

How Cloud Services Impact CMMC 2.0 Certification—With Use Cases

The genesis of the actual information security guidelines and requirements for protecting FCI and CUI is defined in NIST SP-800-171. And these requirements are codified in the three practice compliance levels in CMMC 2.0.

Since many Azure Cloud services have been certified by a CMMC 2 C3PAO, DIB contractors can utilize them to save time, money, and headaches certifying their IT infrastructure.

Let’s look at a few use cases.

Leveraging The Microsoft Azure And Azure Government Clouds

The Azure Commercial and Azure Government Clouds offer numerous C3PAO-certified services—including compute, storage, and identity and access management(IAM)—as well as overarching support for CMMC 2.0 compliance.

Support includes FIPS 140 encryption and encryption key management in the Azure Key Store.

Both services also carry a FedRAMP High provisional authorization to operate (P-ATO). This addresses security controls related to the safeguarding of FCI, CUI, and covered defense information (CDI).

Azure services are also designed to make it easy for DIB contractors to navigate the CMMC 2 landscape. Navigation tools include the Microsoft Product Placemat for CMMC, the Azure Technical Reference Guide, Microsoft Sentinel CMMC 2.0, and Azure Policy.

We point out some of the subtle differences in IT services that cross the boundaries of the various Azure Cloud services in a previous post. As you move applications, services, compute instances, and storage across the different clouds, DoD certification and compliance capabilities can change.

Azure provides you with resources to help you stay on course with tools to help you navigate your level of CMMC security controls and implementation compliance.

The Product Placemat for CMMC will help you navigate with a Periodic Table-style user interface with visual guidelines, drill-downs, and guardrails for the underlying cloud services grid as it relates to CMMC.
The Azure Technical Reference Guide provides CMMC 2 implementation documentation with nested links to further related implementation statements based on the subject matter and practice requirement.
The Microsoft Sentinel CMMC 2.0 solution is another incredibly intuitive and highly functional tool for DIB contractors. Microsoft Sentinel is designed to help DIB contractors monitor threats and analyze CMMC-related security controls across cloud, multi-cloud, hybrid, and on-premise IT infrastructures.
Azure Policy provides a guide that will help you assess your security controls as they’re mapped directly to NIST SP 800-171 compliance domains and controls. Azure Policy is there to help you define Microsoft, user configured, and shared responsibilities in the Azure Commercial and Azure Government Clouds.

Together, these four tools comprise a powerful foundation for implementing and managing a CMMC 2-compliant infrastructure in the cloud.

What about essential applications, like Microsoft 365?

Microsoft 365 Considerations

You’re probably wondering how easy, or difficult, it is to use Microsoft 365, fka Office 365, in the cloud. We discussed this in detail in a previous post. This is the condensed version:

The net-net is that in order to meet all data protection requirements for CUI using MS 365 apps in compliance with CMMC Level 2, you will need to deploy in MS 365 GCC High.

Creating a CMMC L2 Enclave in the Azure Cloud.

According to NIST, an enclave is a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.

The easiest, most secure, and cost-effective way to create a CMMC L2 enclave in Azure is to deploy in MS 365 GCC High.

While federal contracting companies can utilize Azure Commercial and GCC to meet some CMMC L2 requirements to safeguard CUI, by making external and internal security modifications, we generally do not recommend it.

We recognize that all organizations are unique, but we also recommend considering the totality of your circumstances, now and into the future. Data migrations from lower Azure tiers, like Commercial and GCC, to higher tiers, like GCC High, can be extremely expensive, intrusive, and time-consuming.

So what’s the net-net here?

The cloud offers tremendous promise in the form of tangible technological benefits, economies of scale with IT resource management, and cost savings to DIB contractors as you prepare for CMMC 2.0 implementation.

If this seems complex, we can help.

Here’s what you can do to get started today.

Don’t be intimidated by CMMC 2.0. We help small and mid-size DIB contractors like you every day with straightforward, cost-effective solutions. Let’s do a no obligation consult to discuss your: