Standing on the Shoulders of Giants: Working with Microsoft to Bring CMMC/NIST 800-171 Compliance to the Defense Industrial Base

Article By: Josh O'Sullivan

As Microsoft Security Gold Partners, we are proud to see the tools Microsoft continues to accelerate compliance for defense contractors to tackle the Cybersecurity Maturity Model Certification (CMMC) and underlying NIST 800-171 requirements.

Microsoft invests more than $1B per year in security alone, and they are dedicated to helping the Defense Industrial Base (DIB) become more secure and compliant with DoD regulations for protecting Controlled Unclassified Information (CUI).

70% Coverage with Microsoft

In their latest update on the Microsoft CMMC Acceleration Program, Richard Wakeman demonstrates some of the fruits of this investment, including:

  • NIST SP 800-171 and CMMC Levels 1-5 Assessment Templates in Compliance Manager,
  • Azure Blueprints to help enable some of these controls quickly, and
  • The new Microsoft Product Placemat for CMMC!

Compliance Manager provides a set of assessment templates to help you create an assessment and ensure your organization complies with common industry standards and regulations, including NIST SP-800-171 and the projected requirements for all levels of CMMC. Each template contains the controls for meeting that certification’s requirements using certain products.

Azure Blueprints help you define a repeatable set of Azure resources that implements and adheres to your organization’s standards, patterns and requirements. This in turn enables your development team to rapidly implement new company-compliant environments.

The Microsoft Product Placemat for CMMC is an interactive representation of how Microsoft cloud products and services satisfy CMMC requirements. It provides details on each practice and guidance for actions you need to take to meet its requirements. It is currently still under development with a planned release at the end of 2020.

Learn more about how these resources can help you.

Reciprocity for NIST 800-171 Compliance and CMMC 

The ideal outcome that we hope from Microsoft’s investment is to allow for reciprocity for NIST 800-171 compliance and CMMC. In the language of certification and accreditation, reciprocity refers to the recognition and acceptance of a third-party risk assessment by a certification body. In other words, if Microsoft is assessed and found compliant for NIST 800-171 and CMMC, then their assessment could be leverage for a portion of their customers’ demonstrated practices.

Microsoft is laying out the foundation to make it easier for a government or certified 3rd party assessor to accept the controls Microsoft is already applying to their systems as part of a customer security program. This means that customers can implement their program more quickly and easily and enter into assessments confident that they have what they need.

Per Richard Wakeman’s post, using Microsoft 365 E5 gives customers nearly 70% coverage for CMMC Level practices.  By moving to Microsoft 365, you can be assured that, with the proper internal procedures, you’ll be implementing the right technology and practices.

As a customer, this saves you the time, money and effort of demonstrating compliance with the NIST SP 800-171 controls and CMMC practices that Microsoft already covers. This should then also reduce the time and cost for an assessment and overall save the government and U.S. tax payers those direct costs. We can all save even more money if there is reciprocity for the FedRamp assessment which Microsoft already continuously meets.

Addressing the Other 30%

Ardalyst is working with its partners, including Microsoft, to build the most comprehensive and cost-effective program to meet all of the requirements outlined in NIST SP 800-171 and CMMC. We recognize that more than a technical solution is required. We offer the business risk analysis, technological implementation and system administration capabilities required to achieve 100% coverage for CMMC Level practices.

With the new DFARS 7019 Provision becoming effective Nov. 30th, we have seen an increase of DIB contractors recognizing the need to reassess their cybersecurity programs. DFARS 252.204-7019 will require defense contractors to submit the results of their self-assessment and their score (an up to 110-point score derived from the NIST SP 800-171 DoD Assessment Methodology) into the Supplier Performance Risk System (SPRS). Additionally, some DIB organizations will undergo government assessments as well.

Ardalyst provides a cyber program that will meet these requirements at a fraction of what it would cost to do it yourself. Schedule an appointment today to see your current score and build your plan to get to 110.

Need Assistance?

Speak with an Engineer

Not sure where to start? We're here to help walk you through the process, understand your environment, and provide the guidance you need to achieve cybersecurity maturity. Get in touch today.

Get in Touch