The cyberattack surface of the Department of Defense (DoD) is larger than the military’s systems and networks. Our adversaries know that there is as much critical defense data in the defense industrial base (DIB) as in the Pentagon. Threat actors constantly target the over 100,000 defense contractors and subcontractors to find weak points and gain access to sensitive data. Any breach across this massive, heterogeneous environment could put our nation’s security at risk.

To combat the risk of cyberattacks within the DIB, the DoD released the new cybersecurity maturity model certificate (CMMC) requirements on October 15, 2024. The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with the DoD’s contractors and subcontractors through acquisition programs. All defense contractors must comply to the requirements to bid on defense contracts, ensuring that their organization meets a set of standardized security controls. The DoD is planning to implement the new CMMC standard over three years, and you can expect to see CMMC requirements in new contracts by mid-2025.

Oracle has developed a new set of tools and documentation that make it easier for every company serving the DoD to meet CMMC requirements.

CMMC levels: What do they mean?

CMMC unifies multiple security standards, tiered into Level 1, Level 2, and Level 3, based on the sensitivity of information handled, as shown in the following graphic:

CMMC levels 1, 2, and 3 with who falls under each level

If your organization handles CUI, you’ll likely be required to achieve Level 2 certification. CMMC Level 2 is built on NIST SP 800-171 controls, which aim to mitigate the risk of data breaches and cyber threats in the defense supply chain. It implements security controls focused on code, people, and processes.

Each CMMC level requires an assessment to ensure that compliance is met with the following parameters:  

Level 1: Self-assessment is permitted

Level 2: Requires an approved CMMC third-party assessment organization (C3PAO)

Level 3: Requires a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment

How can Oracle Cloud Infrastructure help?

At first glance, the CMMC certification process can seem remarkably complex and intimidating. It can leave you wondering what exactly is required of your company.

Simply stated, CMMC Level 2 requires that you document and validate with a third-party assessment organization that you are doing the “right thing” to ensure that sensitive government information is protected, as CMMC controls are often based on decades-old common sense IT best practices. To reduce the cost and complexity of meeting CMMC requirements, Oracle Cloud Infrastructure (OCI) has developed a suite of tools to help defense contractors. These tools are designed to assist customers and their partners with the CMMC controls they own or share with OCI. These tools take advantage of Oracle’s third party audited FedRAMP High cloud regions to meet many of the CMMC controls.

Here are tools that can simplify the path to CMMC certification:

  • The OCI Core Landing Zone: Perform one click, best-practice deployments of a preconfigured set of cloud native services to meet many CMMC requirements in a matter of hours.
  • Informational guide for CMMC Level 1 and Level 2 compliance: Clearly defines the CMMC controls and describes how organizations can leverage the OCI Core Landing Zone to achieve compliance with many CMMC controls.
  • Controls checklist for Level 1 and Level 2 compliance: An editable spreadsheet that allows organizations to keep track of control obligations to ensure that all CMMC controls are addressed.

What is the best cloud environment for achieving CMMC?  

Oracle US Government Cloud is the ideal platform to host a service or organization seeking CMMC compliance. This FedRAMP High Joint Authorization Board (JAB)-authorized Oracle cloud offers services that meet NIST SP 800-171 control requirements, making it easier for businesses within the DIB to comply with the controls and achieve CMMC certification. Oracle also has a dedicated team and established resources ready to support your migration and help you achieve your goals for accreditation. For more information, reach out to your Oracle sales representative.

Oracle Cloud Infrastructure offers a wide variety of cloud native security services, providing a decisive benefit to those companies levering our FedRAMP High cloud regions for CMMC compliance. Unlike some competitors, we do not charge an elevated price for companies using our US Government Cloud, and some of the most critical security services and features are available at no additional cost to OCI customers.

 

Features and benefits of US Government Cloud

 

Conclusion

Oracle has provided the US government with secure data and system solutions for more than 40 years, and Oracle Cloud Infrastructure includes data, network, and system security in every cloud tenancy by default. For more information, read about our Cloud Security Services and see the following resources: