Department of Defense contractors and those in higher education research facilities are moving to external services providers to satisfy current federal mandates such as CMMC 2.0, NIST 800-171, and DFARS 7012. These suppliers are faced with critical decisions when it comes to outsourcing compliance because of industrial complexities and the potential lack of operational resources.
The most current mandate, CMMC 2.0, requires contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to define obligations and responsibilities when using external service providers.
Many of the questions and answers in this blog are derived from a recent Summit 7 webinar: Achieving CMMC 2.0 Compliance With The Shared Responsibility Model. The inquiries came from a group of over 600 suppliers in the Defense Industrial Base (DIB). Portions of the webinar were recorded and released on the Summit 7 YouTube channel and are also linked and embedded throughout this article. You can view the entire webinar here. Make sure you subscribe to the Summit 7 YouTube channel to stay informed on all things related to the DIB and CMMC 2.0.
You can download a version of the Summit 7 Shared Responsibility Matrix here.
Click on any of the topics below to jump to a topical section in this blog. You will find questions related to that topic followed by the answer given by the Summit 7 leadership team:
The Shared Responsibility Model (SRM) is the natural capturing, identifying, and dividing of responsibilities between customers and providers.
It specifically identifies the person or team responsible for any given security control; most importantly, the responsibility needs to be agreed upon and reflected in contracts or service level agreements.
Is a Shared Responsibility Model required for DIB contractors?
The video below gives a brief explainer on data governance and the Summit 7 Shared Responsibility Model.
Who needs to be using a Shared Responsibility Model (or Matrix)?
If you are a company that needs to implement NIST 800-171 controls in order to comply with federal regulations, and you use any outsourced services (i.e. cloud, I.T., security), then you already are using a concept of the Shared Responsibility Model - a fundamental concept of cloud security.
It is the idea that the level of service you are consuming from an external provider influences the amount of control that either you or the provider have over those services.
Your level of responsibility is impacted depending on how many services you are acquiring from an external provider.
A Shared Responsibilities Matrix will be utilized by Summit 7 and our customers based on the customer's particular level of engagement with our team. You can learn more about Summit 7's SRM by contacting our Managed Services team here.
Yes, this model would extend to anyone or any platform within the security boundary for handling Controlled Unclassified Information (CUI).
The Summit 7 Shared Responsibility Matrix details this specific question. You can download the Summit 7 Shared Responsibility Matrix here.
Some providers have SRMs out there, or they are currently working on one. If you are working with a Managed Service Provider (MSP), you should be asking to see their SRM according to NIST 800-171.
If you are running an entirely on-premises IT system, then you do everything. You're responsible for physical security and all the way up to software and applications.
If you were just consuming software applications as a service (SaaS), everything except for what is inside of that application is the responsibility of the provider.
Video: Are there examples of a CMMC SRM?
There is no requirement to have written procedures for every determination statement in NIST SP 800-171. However, if you have the time and resources, then a useful technique is to treat each of the 320 determination statements as a question.
For example, converting 3.1.1[a] into a question would ask: "How are authorized users identified?" The documented answers to determination statements would roughly represent your procedures for a given control. Logically, the roles and responsibilities assigned to these tasks should be found via your approach to policies in general.
The responsible person is the one actually doing the task. The accountable person is the one that is ultimately accountable for ensuring that the task is completed.
It's based specifically on each control. There are three different determinants for verbal, so it varies by control.
There are some controls that can verbally be satisfied, but you need to see which ones those are and what the other statements are in that control.
Requirements have been in place with DFARS 7012 since 2017, and you have contractual requirements to meet these requirements today.
CMMC is adding the third-party assessment piece to these requirements. You already have the requirements and the data, and you should already be fulfilling these requirements.
There won't be enough C3PAOs and other similar resources once the final ruling is done to get everyone assessed and ready to do business with the government.
CMMC is an assessment methodology for NIST 800-171.
DFARS 7012 requires the basic self-assessment.
DFARS 7019/7020 ushered in government assessments of NIST 800-171 and DFARS 7021/CMMC will implement third party assessment requirements for NIST 800-171.
RA.L2-3.11.2 states: "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified."
There are 5 assessment objectives for this control.
The process is very dependent on the current state and size/complexity of the organization.
For a small-medium business, it typically takes 9-15 months to complete everything necessary.
This is highly variable depending on the current state of the small business.
If you take into consideration internal labor, consultant labor, hardware/software, etc., it is a minimum $100K+ task to go from zero to complete/operational.
You must evaluate all 320 Assessment Objectives. If a 5 point control has 5 Assessment Objectives, you must successfully implement all 5 assessment objectives to award yourself the 5 points for the control.
For an in-depth look at this, you will want to watch this video from thought-leader Jacob Horne at a recent Cloud Security and Compliance Series (CS2) session.
DoD has not released any statistics around SPRS scores.
You must follow NIST 800-171A and the DoD assessment methodology.
Since 2016 DFARS clause 252.204-7012 has said that if a contractor puts CUI in the cloud then the contractor needs to require and ensure that the cloud service provider meets security requirements "equivalent" to the FedRAMP Moderate baseline.
On 12/21/23, the DoD released a memo clarifying the stringent requirements of FedRAMP moderate “equivalency”– and it’s effective immediately. DoD Contractors are now on the hook for their Cloud Service Provider’s (CSP) FedRAMP compliance. According to the memo: the DoD requires a lot of contractors with defense data being stored, processed, or transmitted with a FedRAMP Equivalent CSP.
A FedRAMP Moderate Authorized CSP will require considerably less effort by the contractor. You can check if your CSP is Authorized on the FedRAMP marketplace. If you do have an FedRAMP moderate "equivalent” CSP, you might consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High.
FedRAMPed services are available to companies and organizations from around the world. An organization does not have to be in the United States to leverage FedRAMPed services.
NIST has not announced a specific release window for NIST SP 800-171 Rev 3 other than sometime in 2022.
NIST 800-171 is the control baseline for protecting CUI in non-federal information systems.
There is no bar below 800-171 that would meet the requirement. NIST 800-53 (the government standard for federal information systems) has many more controls and requirements than NIST 800-171 and does provide for some tailoring of controls.
No, you would only need to meet the 17 Level 1 controls and the associated Assessment Objectives.
There are many, but most revolve around defining corporate policy.
Summit 7 focuses primarily on the Microsoft stack only, and one reason is because of the SaaS solution. AWS really compares well to Microsoft Azure, but Amazon does not really have a comparable platform to the M365 platform (SaaS-based email, file-sharing, etc.).
Microsoft's total solution of M365 plus Azure Government gives you a really nice, single platform solution to be able to meet all of these requirements.
Video: Does Summit 7 work with AWS for cloud-based compliance?
There is no problem with backing up to company-owned servers in a company-owned facility with all of the necessary NIST 800-171 controls in place.
There is no problem with a Canadian MSP servicing the customer as long as the MSP is meeting all of the necessary CMMC requirements and the customer is not handling any export-controlled/ITAR or NOFORN data.
If they are handling the aforementioned data, then the MSP employees would need to either be US citizens or they would need to have specific export control licenses for the data allowing them access.
Microsoft is a Cloud Solution Provider and their environments are FedRAMPed. They are not a Managed Service Provider.
Yes, we do recommend GCC High and Azure Government for all CUI. It is a requirement for all ITAR/Export Controlled content, but a recommendation for Basic CUI.
It does not take into consideration any on-premises infrastructure or any other cloud services you may have outside of the Microsoft Azure Government stack.
We only service NIST/CMMC clients, so there is no upcharge for Summit 7 MSP services.
Video: Managed Services for CMMC 2.0 Compliance
You can contact our team about Managed Services through Summit 7 via the button below.