With the rapid adoption of cloud services by governments in the US, procurement and security standards of these services are evolving to meet changing threats. As a result, customers are faced with implementing evolving security standards and controls.
This blog post helps clarify ambiguity around the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standard and how the standard and related controls apply to a use case and deployment. This post is one in a series that explain the applicability of various security standards to commercial entities doing business with the US government. It can help customers looking to migrate or build a new solution in Oracle Cloud Infrastructure (OCI) and platform as a service (PaaS) in US Government regions.
CMMC 2.0 aims to reduce the risks presented by cybercrime, including economic and national security. It implements security controls focused on code, people, and processes. CMMC 2.0 is a new accreditation and a still-0developing standard that applies to end-user service providers offering goods or services to the US Department of Defense (DoD). CMMC 2.0 is based largely on NIST SP 800-171 and NIST SP 800-172. It unifies the multiple security standards that exist today and offers three certification levels: 1. Foundational, 2. Advanced, and 3. Expert.
As an Oracle customer and part of the defense industrial base (DIB) providing either goods or services to the DoD, your organization is likely required to comply with the DoD’s cybersecurity standards. The original CMMC interim rule went into effect on November 30, 2020, and CMMC 2.0 was released in November of 2021. Certification efforts by CMMC third-party assessment organizations (C3PAOs) are being evaluated now.
C3PAOs are independent organizations paid to assess a provider’s security posture. Demonstrating compliance takes time and effort, so new DoD contracts are unlikely to require CMMC until sometime in 2024, but not until the rulemaking process is complete. To achieve CMMC 2.0 certification, a C3PAO must be engaged for most level 2 assessments. All level 3 achievements undergo government-led triennial assessments. Level 3, the Expert and highest level, has the government officials conducting the assessment, and the requirements are still under development. The cost of certification is the responsibility of the organization seeking certification. Customers can achieve Level 1 and some select level 2 through an annual self-assessment.
CMMC 2.0 is not an accreditation that an infrastructure-as-a-service (IaaS) or PaaS cloud service provider (CSP) can achieve, because the CSP is not responsible for all the controls that CMMC 2.0 evaluate. However, a CSP can assist an end user in achieving CMMC 2.0 accreditation by offering cloud services with certain demonstrated and proven controls. For example, a cloud provider can achieve FedRAMP high accreditation, which certifies controls that CMMC requires. The end-user service provider can use these proven controls, reducing the effort to accredit their overall solution.
Oracle Government Cloud has achieved FedRAMP high accreditation, along with all the Oracle Cloud Infrastructure and PaaS services generally available in those regions. Oracle Cloud for Government provides an excellent platform to host a service or organization seeking CMMC 2.0 compliance. Oracle has a dedicated team and established resources ready to support your migration and help you to achieve accreditation your goals.
For more information, see the following resources:
I have spent the last 25 years innovating in the IT industry, with a focus on Public Sector customers and cloud deployments.