CyberSheath is pleased to introduce our distinguished CMMC Con 2020 guest and powerful industry and national resource Richard Wakeman. Richard Wakeman is the Senior Director of Aerospace & Defense for Azure Global Engineering and is the commercial industry lead for Azure Government, Microsoft’s cloud solution specifically engineered to meet US government compliance and security requirements. He specializes in the Defense Industrial Base adopting cloud services from Microsoft and is the Program Manager for the Microsoft Cybersecurity Maturity Model Certification (CMMC) Acceleration Program. Richard engages with Microsoft partners and customers end-to-end from engineering to drive adoption of Azure Government, Microsoft 365 GCC High and Dynamics 365 GCC High as solutions within the Microsoft US Sovereign Cloud.
Richard joined Microsoft in 2007 as a developer, identity and messaging expert at the dawn of Microsoft Online Services. Shortly after joining, he was engaged by the Exchange Product Group to lead cloud deployments worldwide for Live@edu as part of the Exchange Labs program, the predecessor of Office 365. He led the charge for the integration of MCS and Premier services with cloud offerings, becoming a Senior Architect for the Microsoft Enterprise Services Business Productivity Global Domain Solution Architecture Office. During the decade of tenure in professional services, Richard had an impact on deploying over 100 million seats into the Microsoft cloud. He deployed the first Microsoft cloud customers, to include the first million seat organization in the public multi-tenant cloud to the first Government Community Cloud customer.
Among Richard’s main roles is to overview what Microsoft is doing with CMMC concepts.
Microsoft and CMMC
Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government’s mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DOD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DOD have enabled them to provide resources that will enable your journey to CMMC compliance.
Here are three resources to get you started on your journey to CMMC compliance:
1. Shared Responsibility Model
CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premises, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, Managed Security Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?
Almost no MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is the only one that has built our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a detailed breakdown of how CMMC has been 13 years in the making.
CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.
2. Azure Blueprints
Azure blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.
Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.
The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.
3. Office 365 GCC High and DOD
As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DOD working to protect this information.
To meet the unique and evolving requirements of DOD and contractors holding or processing DOD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DOD environments. Microsoft GCC High and DOD meet the compliance requirements for the following certifications and accreditations:
- The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
- The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).
DOD Office 365 subscribers will receive services provided from the DOD exclusive environment that meets DOD SRG L5. Non-DOD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but uses L4 segmentation.
There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DOD in addressing this challenge.
For additional information join us at CMMC Con 2020
For additional information on Microsoft’s CMMC acceleration, join Microsoft’s Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, on November 18th at CMMC Con 2020. Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance. Register Now.