DoD &CSPs Collaborate for CMMC Compliance and Zero Trust 

Updated on May 1, 2023 by Anthony Jones

Share this article!

The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB). The CMMC framework consists of multiple maturity levels, each with a set of cybersecurity practices and processes that organizations must implement to achieve compliance. 

“We need to try to help our industrial base get to good with cybersecurity because we want to make sure the warfighter has the best capabilities on the ground and that they’re protected.”

– DoD DIB Cyber Chief Stacy Bostjanick   

How the DoD Is Working with CSPs for Better CMMC Compliance 

The Department of Defense (DoD) is working with cloud service providers (CSPs) to support two key cybersecurity initiatives: implementing zero trust and securing small and medium-sized contractors in the defense industrial base (DIB) under the Cybersecurity Maturity Model Certification (CMMC). 

Implementing Zero Trust 

• The DoD is transitioning to a zero-trust security architecture over the next five years. 
• The DoD is engaging with CSPs that were awarded spots under its Joint Warfighting Cloud Capability (JWCC) multi-cloud acquisition vehicle, including Amazon Web Services, Google Cloud, Microsoft, and Oracle. 
• The DoD is exploring whether these CSPs can provide zero-trust capabilities via the cloud, which would be easier than trying to retrofit existing environments with zero-trust principles and tools. 
• The DoD is developing a zero-trust strategy and implementation plan to transition to a zero-trust architecture by 2027. The strategy includes 152 capabilities for robust zero trust and a subset of 90 controls for targeted zero trust. 

Related article: Learn about Zero-Trust Cloud Security Posture. 

Securing Contractors under CMMC 

• The DoD is working to secure contractors in the DIB as they transition to CMMC compliance. 
• Under CMMC 2.0 rules, expected to go into effect next year, contractors handling the DoD’s controlled unclassified information (CUI) must be certified to meet one of three cybersecurity requirements tiers. 
• Some small and medium-sized contractors are concerned about the costs of achieving CMMC compliance and the potential impact on their businesses. 
• The DoD’s defense industrial base cybersecurity team is working to support these contractors by offering cybersecurity tools and services. 
• The DoD is also collaborating with CSPs to explore the possibility of providing secure cloud environments that contractors can use to protect DoD information and meet CMMC requirements. 

The DoD is actively engaging with CSPs to leverage cloud services for implementing zero trust and helping contractors achieve CMMC compliance in a cost-effective manner. 

Department of Defense CIO – CMMC 2.0 Update 

 Challenges Associated with Hybrid Cloud Environments 

While CMMC is not specifically designed for hybrid cloud infrastructures, it applies to all information systems and environments, including hybrid cloud infrastructures, where Controlled Unclassified Information (CUI) is stored, processed, or transmitted. Organizations that use hybrid cloud infrastructures and are part of the DIB must ensure that their cloud environments meet CMMC requirements. 

Hybrid cloud security presents various challenges, which can be summarized into five key areas: 

1. Complexity and Limited Visibility: The integration of multiple public cloud services and private cloud usage results in a complex information infrastructure from both security and management perspectives. Without proper tracking mechanisms, organizations may experience reduced visibility into their data access over time. Increased complexity can lead to vulnerabilities and security gaps, increasing the likelihood of data breaches due to errors or misconfigurations. Consequently, cloud services may necessitate changes in security strategies. 

2. Shortage of Knowledge and Skills: The rapid expansion of cloud systems has led to a significant lack of cybersecurity expertise. Organizations struggle to find qualified security personnel capable of managing cloud services, leaving them vulnerable to risks. One solution is to invest in training and skill development for managing hybrid cloud infrastructure, despite the time and effort required. 

3. Evolving Security Responsibilities: In public cloud environments, the responsibility for implementing security, virtualization, and infrastructure controls shifts to cloud service providers. Understanding the changes in shared security responsibilities is crucial. Organizations may mistakenly attempt to apply private cloud security measures to public clouds, which may not always be feasible. The absence of a clear operational model in hybrid cloud environments can expose the cloud to threats. 

4. Inconsistencies in Network Protection: Network security remains a challenge for businesses. Many public cloud security tools offer private cloud compatibility but may lack comprehensive functionality. While these tools may secure private clouds, they may not be compatible with public clouds. Organizations often use containers to manage hybrid clouds but may overlook service mesh and API security, leaving containers vulnerable. 

5. Fragmented Logging and Monitoring: Organizations must distribute logging sources across public clouds, vendor tools, on-premises systems, and cloud-native services to identify logs and establish monitoring metrics. Key performance indicators (KPIs) and key risk indicators (KRIs) are needed for reporting. The goal is to create a custom dashboard to communicate residual risk severity and impact while enhancing visibility into advanced threats. 

Related article: How to Improve Your Cloud Security Posture. 

Risks Associated with Hybrid Cloud Environments 

Despite the advantages of hybrid cloud, users should be aware of potential security risks: 

• Security Leaks: Hybrid clouds are often connected via the open internet, increasing the risk of data leaks due to errors, man-in-the-middle attacks, and compromised endpoints, especially if cloud management APIs lack proper security. 
• Compliance Challenges: The flow of data between public and private cloud components complicates compliance with a centralized framework, as different providers have varying compliance standards. 
• Security Gaps: Inconsistencies in security controls for hybrid cloud services can create gaps in security maturity between public and private clouds. 
• Misaligned SLAs: Service level agreements (SLAs) differ between public and private cloud services, making it difficult to achieve end-to-end SLAs for users. 
• Risk Assessment Challenges: Comprehensive risk assessment for hybrid cloud services is challenging, as public and private clouds are often evaluated separately, complicating the maintenance of a consistent security posture. 
• Encryption Deficiencies: Hybrid cloud architectures are susceptible to data protection risks, especially during data transfers between clouds. Lack of proper encryption can lead to data theft or alteration. 
• Network Connectivity Disruptions: Connectivity between public and private clouds is vital for SLAs. Errors in network architecture can disrupt cloud services. 

Related article: Which Industries Will be Subject to New and/or More Cybersecurity Regulations? 

The DoD’s commitment to enhancing cybersecurity through CMMC and zero trust is critical in safeguarding national security and the defense industrial base. As organizations navigate the complexities of hybrid cloud environments and strive to meet CMMC requirements, collaboration with cloud service providers and cybersecurity experts is essential. By leveraging the expertise of trusted partners like AWA, organizations can confidently address security challenges, achieve compliance, and contribute to a more secure and resilient defense ecosystem. 

Choose AWA for CMMC Gap Assessment and Remediation Services 

As the DoD transitions to a zero-trust security architecture and enforces CMMC compliance, organizations within the DIB face the challenge of meeting new cybersecurity standards. AWA is uniquely positioned to assist in this journey.  

Our team of cybersecurity experts understands the complexities of hybrid cloud environments and the challenges associated with achieving CMMC compliance. With AWA’s gap assessment and policy and procedure remediation services, you can confidently navigate the CMMC framework and address potential vulnerabilities. Our comprehensive approach ensures that your organization is equipped to meet the DoD’s cybersecurity requirements, protect sensitive information, and maintain a robust security posture.  

Choose AWA as your trusted partner in achieving CMMC compliance and securing your future in the defense industry. 

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.