As the IT world continues to migrate to the cloud, many customers are faced with implementing security standards and controls. This blog helps clear up ambiguity around what the Cybersecurity Maturity Model Certification (CMMC) standard is and how the standard and related controls apply to a use case and deployment. This post is one in a series that explain the applicability of various security standards to commercial entities doing business with the US government. It can help customers looking to migrate or build a new solution in Oracle Cloud Infrastructure (OCI) and platform-as-a-service (PaaS) in US Government regions.
Why?
CMMC aims to reduce the risks presented by cybercrime, both economic to national security, achieved through the implementation of security controls focused on code, people, and processes. CMMC is a relatively new accreditation standard and applies to end user service providers offering solutions to the US Department of Defense (DoD). CMMC is based on existing standards like DFARS 252.204-7012 and has similar controls as NIST SP 800-171 and NIST SP 800-53. It unifies the multiple security standards that exist today and offers five levels ranging from level 1: Basic Cyber Hygiene and Process’ Performed up to level 5: Advanced/Progressive and Process Optimizing.
How?
As an Oracle customer providing services to the DoD in the Defense Industrial Base sector, you might be required to certify your organization or service. The CMMC interim rule went into effect on November 30, 2020, and certification efforts by CMMC third-party assessment organizations (C3PAOs) are getting underway. C3PAOs are independent organizations paid to assess a providers security posture. Demonstrating compliance takes time and effort, so new DoD contracts are unlikely to require CMMC until sometime after 2026. A commercial entity serving government is considered a Defense Industrial Base when it creates or possesses controlled unclassified information. To achieve CMMC certification, a C3PAO must be engaged, and the cost of certification is the responsibility of the organization seeking certification.
Who?
CMMC is not an accreditation that a cloud service provider (CSP) can achieve, and the CSP doesn’t own all the controls that CMMC expects. A CSP can, however, assist an end user in achieving CMMC accreditation by offering cloud services with certain demonstrated and proven controls. For example, a cloud provider can achieve FedRAMP accreditation which, depending on the level (FedRAMP low, moderate, or high), certifies many of the controls that CMMC requirer. The end-user service provider can use these controls, reducing the effort to accredit their overall solution. The OCI US Government cloud offerings have achieved FedRAMP high accreditation, as have all the Oracle Cloud Infrastructure and PaaS services generally available in those regions. The Oracle Cloud US Government regions provide an excellent platform to host a service or organization seeking CMMC compliance. Oracle has dedicated team and established resources ready to support your migration and help you to achieve accreditation your goals.
Note: The CMMC standard is still evolving. While the guidance below remains correct, please be aware CMMC 2.0 is being defined now which is driving for simplification (like 3 levels instead of 5 and greater ability to self assess). The basis will still be around NIST 800 and DFARS controls, so the US Gov regions continue to be the place for these workloads.
Want to know more?
For more information, see the following resources: