Oracle Government Cloud offers a faster path to CMMC 2.0 Level 1

Oracle US Government Cloud maintains FedRAMP High authorization, which validates many of the controls that Cybersecurity Maturity Model Certification (CMMC) requires. You can use assessed and authorized OCI controls to demonstrate your own security posture, reducing the effort to accredit your overall solution. Oracle Cloud Infrastructure (OCI) is pleased to announce a new suite of tools to help you meet CMMC 2.0 Level 1 self-assessment requirements.

What is CMMC 2.0?

CMMC 2.0 is a new accreditation standard that applies to commercial entities offering goods or services to the US Department of Defense (DoD). The current CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with DoD contractors and subcontractors. It unifies multiple security standards and is tiered based on the sensitivity of information handled with the following levels:

• Foundational

• Advanced

• Expert

Oracle’s CMMC 2.0 guidance is based on DoD Information (found at https://dodcio.defense.gov/CMMC/) and is current as of DEC 2021.  Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the U.S. Department of Defense will suspend the CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.

CMMC 2.0 Level 1 is achieved through a self-assessment, while level 2 and 3 require an approved third-party assessment organization (3PAO) review. Level 1 applies to companies that are only required to protect the information systems on which FCI is processed, stored, or transmitted and a subset of companies that are required to protect CUI.

Who does CMMC apply to?

If you’re a part of the US Defense Industrial Base (DIB) providing goods or services to the DoD, your organization might be required to comply with CMMC. Historically, meeting the DoD requirements has been challenging for DIBs due to a lack of a unified DoD policy, multiple agency standards, and confusion over applicability. CMMC is designed to overcome these challenges to make it easier for DIBs to conduct business with the DoD. CMMC 2.0 was released in November 2021 and the final CMMC 2.0 rulemaking process began in 2023. The next step is awaiting a published notice of proposed rulemaking in the Federal Register.

When CMMC 2.0 is fully implemented, DIBs have time to complete their own assessment. We expect that the final rule requires CMMC 2.0 compliance by Fall 2024. For a more complete review and history of CMMC 2.0, refer to this blog post.

If your DIB organization handles FCI data that isn’t CUI, you might be required to achieve Level 1 certification, which has the following primary objectives:

• The first objective is built on the groundwork of the NIST SP 800-171 controls to reduce the risks presented by cybercrime, including economic and national security. It is directly aligned to FedRAMP and implements security controls focused on code, people, and processes.

• The second objective is to ease the burden on DIBs by simplifying the adoption of these complex standards by demonstrating compliance with CMMC 2.0.

Oracle tools that can help

To reduce the cost of meeting CMMC 2.0 requirements, OCI has developed a suite of tools to help DIBs. These tools are designed to assist customers with the controls they own or share with OCI. They build on top of the third-party assessment organizations (3PAO) audited controls owned by OCI for our infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings, which have FedRAMP High JAB authorization.

The following tools can simplify the path to CMMC Level 1:

• OCI offers layered security tools that supersede many government requirements and meet FedRAMP guidelines. These Tools provide enhanced authorization solutions to assist DIBs in the achievement of their own CMMC certification.

• OCI has released a Coud Native Secure Cloud Computing Architecture (SCCA) landing zone that preconfigures a tenancy to meet the DoD requirement for SCCA. While this SCCA tool was built for the US DoD, it’s now available to all OCI customers. SCCA uses OCI native services, alleviating the need to procure or install third-party applications to begin the government certification process. The cloud native SCCA landing zone can help you meet many of the CMMC 2.0 requirements as outlined in the Secure Cloud Computing Architecture (SCCA) to NIST 800 Controls Mapping Guide.

• The CMMC Level 1 Guide starts with the OCI FedRAMP authorization and layers on top of that the SCCA to create a step-by-step guide that you can use to identify which controls OCI has achieved and how to build on the controls OCI shares with you in your tenancy. The guide describes each control, explains what it is, and then offers methods for you to comply with each control as it applies to your unique tenancy and the services built inside it. This tool also recommends other Oracle technologies that may help meet each requirement.

• You can use the CMMC checklist to document your approach to CMMC Level 1. The checklist of 17 CMMC controls identifies which OCI has achieved. For any shared controls, we have a set of questions to help you determine how you meet each control. After the solutions have been identified and implemented, you can use the document as evidence to complete your CMMC Level 1 self-assessment.

What’s next?

CMMC 2.0 isn’t an accreditation that a PaaS or IaaS cloud service provider (CSP) can achieve alone because the CSP isn’t responsible for all the controls that CMMC 2.0 evaluates. However, Oracle can assist you in achieving CMMC 2.0 accreditation by offering cloud services with certain demonstrated and proven controls.

Oracle Cloud for Government is an excellent platform to host a service or organization seeking CMMC 2.0 compliance. Oracle has a dedicated team and established resources ready to support your migration and help you achieve your accreditation goals.

To learn more, see the following resources:

• Oracle Cloud Native SCCA Landing Zone

• CMMC 2.0 Level 1 Guide

• CMMC Level 1 Checklist

• Oracle Cloud for Government

• Oracle Government Cloud for Contractors

• CMMC website