CMMC 2.0 delivered much-needed relief to defense contractors stressing over the time and cost of becoming compliant. Eliminating the maturity requirements, as well as two of the five levels of maturity lowers the bar for compliance significantly and reduces costs dramatically. For a comprehensive review of all the changes, be sure to check out our earlier blog on the CMMC 2.0 release. While the industry is still trying to make sense of the changes as well as potential timing, its worth noting that guidance around CMMC 2.0 is indicating that it may take as long as 24 months to put the final rules in place.
Understandably, we’ve heard from more than one client that they were considering a delay in their migration to GovCloud now that the pressure seemed to be off to meet CMMC so quickly. With as much as two years before the final rules are in place, their initial thoughts were while they could put some security features in place, the full effort, including the data migration, could be delayed.
Given some of the timelines around CMMC 2.0, we can understand why this might seem to make some sense. However, we’ve seen in practice that this approach only delays the inevitable and actually increases both risk and costs. Let’s take a minute to explain why…
While CMMC has received a lot of buzz and served as a catalyst to get many companies to look at their security seriously, there is nothing explicitly in CMMC that requires a contractor to deploy in GovCloud. Technically, FedRAMP isn’t even a requirement in CMMC. However, CMMC isn’t the only cybersecurity requirement contractors need to meet – multiple other long-standing requirements have been driving contractors to a secure GovCloud for years. For example:
Most of these requirements require GovCloud to meet compliance. Our friend at Microsoft, Richard Wakeman, published a blog earlier this year which outlines how various M365 offerings align with current and future requirements of these government regulations and their underlying cybersecurity frameworks. For M365, DFARS 7012 means moving to GCC. ITAR or other data sovereignty requirements (i.e. NOFORN, Nuclear, etc.) require GCC High. If you have these requirements, and you’re not yet in a GovCloud, you are already out of compliance.
Every day your company’s data footprint grows. New employees are added, files are created, Teams are created. All of this adds to the overall scope of any data migration. Plus, as the size of your footprint increases, the complexity of your migration will also likely increase. As an example, we see more and more companies adopting Power Platform for automation and Power Bi for data visualization. These efforts will only add to the complexity and cost of the eventual migration. Kicking the migration can down the road might feel like a relief in the moment, but you’re merely delaying the inevitable – and adding overall costs in the process.
Deploying security settings requires investment in time and money. Do you really want to do it twice if you can avoid it? Security settings typically don’t migrate easily from cloud to cloud. While progress has been made in capturing security configurations and uploading them to the destination tenant, the process is far from turnkey and still results in user disruption. Our advice is to do it once whenever possible. Why spend the energy and money deploying security settings if you’re going to have to do it again in the new cloud?
While CMMC 2.0 delivered relief around maturity, a close look at Appendix E in NIST 800-171 will reveal you don’t have a free pass on documentation. Similar to security settings, these are typically not very transferable. At a minimum, you’ll need to closely review your documentation to make sure everything in the new cloud still applies. At worst, you’re starting over.
As the largest prime contractors adopt GCC and more often, GCC High, there is increasing pressure for their subcontractors to follow suit. In many cases, the source of this pressure is often practical: its simply easier to collaborate with partners within a cloud rather than cross-cloud. However, we’re also seeing more strategic thought around this as well. Clause 7020 formalizes cybersecurity flow downs throughout the supply chain, which forces contractors to look closely at who they are partnering with and making decisions about who gets brought in as a partner and who doesn’t.
Implementing a cybersecurity strategy should start with deploying the right version of the cloud. Starting with the right cloud will also minimize user disruption and allow you to focus on driving productivity. For most contractors, this has always meant and will continue to mean GovCloud. Moving to GCC or GCC High now allows you to focus to on security and adoption, rather than wasting time and money with temporary half-measures that will only need to change again within a year or two. Additionally, implementing the right cloud will ultimately save costs over the long run.
At C3 Integrated Solutions, we work with clients every day to develop the right cloud strategy as part of their overall security and compliance program. To learn more about the right approach to deploying a secure and compliant environment, contact us at firstname.lastname@example.org.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.